flat assembler
Message board for the users of flat assembler.

Index > Heap > Antivirus Heuristics

Author
Thread Post new topic Reply to topic
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Did it happen to you that when you assemble your own file, the antivirus alerts of a virus?


Try this code, but don't execute unless you want to see access violetion.
I was trying to use ret as jmp but made some mistakes.
NOD detects Kriptic.BRB trojan.


Here is the minimized code that get you the result of false virus alert.
Code:
start: 
       stdcall myproc, 0, 0
        invoke  ExitProcess,0
myproc:
        push ebp
    mov     ebp, esp
    mov DWORD[ebp + 4], myproc
  pop ebp
     ret
    


The details of the heuristic
1)The fist function call should be myproc
2)pop ebp, could be replaced with leave
3)There should be an import table of any function, in the example ExitProcess, but it could be anything.


The result on VirusTotal.com online scaner

Code:
AntiVir        7.11.11.96      2011.07.13      TR/Crypt.XPACK.Gen
CAT-QuickHeal     11.00   2011.07.13      (Suspicious) - DNAScan
NOD32 6289    2011.07.13      a variant of Win32/Kryptik.BRB
TrendMicro    9.200.0.1012    2011.07.13      PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012    2011.07.13      PAK_Generic.001
    

Bitdefender, Kaspersky, panda, macAfee and other didn't made the false positive.


the false positive I think got really, really bad. Just with few lines of code some of them detect a false positive xD
Post 13 Jul 2011, 06:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17247
Location: In your JS exploiting you and your system
revolution
The problem is solved when you delete the AV. Razz
Post 13 Jul 2011, 07:44
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Not that this is something new, or something likely to be solved, but post full code please.
Post 13 Jul 2011, 08:13
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1408
Location: Toronto, Canada
AsmGuru62
Some combination(s) of LINK options (entry point assignment, etc.) in latest Visual Studio also does the same thing - produced EXE will not run in a presence of a run-time check from AV.
Post 13 Jul 2011, 11:16
View user's profile Send private message Send e-mail Reply with quote
Coty



Joined: 17 May 2010
Posts: 546
Location: ␀
Coty
I don't have any AV, I have no need for one, I don't do anything 'bad' like download tons of pr0n or tons of torrents, I also don't explore many sites. So, I have no need for one. However sometimes I will use malwarebytes to scan my disk for boggies. Namingly when I go to purchase something online. And I usily use linux 87% of the time anyway...


Oh~ Who needs AV when you got !AV~ Smile
Post 13 Jul 2011, 12:02
View user's profile Send private message Send e-mail Visit poster's website AIM Address Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Here is the full source. The false positive can be easly removed by ading a function call befor the stdcall myproc.
Code:

format PE Gui
entry start 
include '%fasminc%\win32a.inc'
    
section '.text' code readable  writeable executable
start: 
        ; adding a invoke here, false positive gone.
    stdcall myproc, 0, 0
        
    invoke ExitProcess, 0

   
    
myproc:
     push ebp
    mov ebp, esp
        mov DWORD[ebp + 4], myproc
  pop ebp
     ret
 
    
    section '.idata' import data readable writeable 

library kernel32,'kernel32.dll',\ 
     user32,'user32.dll',\ 
   msvcrt,'msvcrt.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'
include '%fasminc%\api\msvcrt.inc'
    
Post 13 Jul 2011, 12:46
View user's profile Send private message Reply with quote
rocketsoft



Joined: 26 Jan 2010
Posts: 189
rocketsoft
My assembler also produces AV-warnings ... so i deleted the AV
Post 13 Jul 2011, 16:44
View user's profile Send private message Visit poster's website Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u
If you code a lot of low level stuff like OSDev, you also get problem from AV.
Its not a problem for me as i do not use AV.
But when given to other users, its a problem.

Maybe we should all work together on a undetectable crypter, to save our programs from AV Laughing
Post 13 Jul 2011, 18:17
View user's profile Send private message Reply with quote
rocketsoft



Joined: 26 Jan 2010
Posts: 189
rocketsoft
I have no intention on ever publishing my software... so its not a problem for me
Post 13 Jul 2011, 18:28
View user's profile Send private message Visit poster's website Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Dex4u wrote:

Maybe we should all work together on a undetectable crypter, to save our programs from AV Laughing

I was thinking otherwise.

make a program with so much "virus like code" that it will trigger 100% of the antivirus out there and the program whouldn't be a malware/virus.

seems like I will need to read about "malwarology" haha
Post 13 Jul 2011, 21:05
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
I was actually thinking of finding a common exploit in AVs. I'm still thinking right now. Very Happy
Post 13 Jul 2011, 22:51
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
typedef wrote:
I was actually thinking of finding a common exploit in AVs. I'm still thinking right now. Very Happy


If that is so, you can implement my idea too.


http://en.wikipedia.org/wiki/Misdirection_(magic)

You will have the 2 files in the folder, the real virus, and other file, that looks like a very, very bad virus.

So the AV, if the misdirection works, will check only the misdirected file and not the real virus


Rolling Eyes
Post 13 Jul 2011, 23:06
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
well I don't have an Av right now
Post 13 Jul 2011, 23:27
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.