What are the AV vendors doing???
Global Rank: 172
Totalscore: 115513
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 272d
Last Seen: 1y 83d
The User is Offline
What are the AV vendors doing???
Feb 28, 2009 - 15:12:38 (15y 270d)
Feb 28, 2009 - 15:12:38 (15y 270d)
Here you can see 2 virustotal links (they are safe to visit):
Virustotal - sinowal
It is a variant of a well known malware, Sinowal (Torpig, Mebroot). It is developed by the Russian Business Network, for pure evil purposes: steal credit card and netbank login information. 18% of the AV vendors detected it at the time of scanning. There is no day without a new variant of Sinowal. The question is: For what do I pay if I buy any of the well known AV solutions???
And the second:
Virustotal - meterpreter
It is a super-trojan in my point of view. It is open source, you can customize for your purposes, and can do almost anything you want. And hey, it is part of the metasploit project, called meterpreter. Results: 7.69% detection rate.
And yes, I use Linux and OSX on a timely basis, but I have to use Windows for my daily job as well. And you know what? I'm really scared...
Virustotal - sinowal
It is a variant of a well known malware, Sinowal (Torpig, Mebroot). It is developed by the Russian Business Network, for pure evil purposes: steal credit card and netbank login information. 18% of the AV vendors detected it at the time of scanning. There is no day without a new variant of Sinowal. The question is: For what do I pay if I buy any of the well known AV solutions???
And the second:
Virustotal - meterpreter
It is a super-trojan in my point of view. It is open source, you can customize for your purposes, and can do almost anything you want. And hey, it is part of the metasploit project, called meterpreter. Results: 7.69% detection rate.
And yes, I use Linux and OSX on a timely basis, but I have to use Windows for my daily job as well. And you know what? I'm really scared...
Global Rank: 4601
Totalscore: 3765
Posts: 5
Thanks: 4
UpVotes: 1
Registered: 16y 280d
Last Seen: 15y 64d
The User is Offline
What are the AV vendors doing???
Mar 22, 2009 - 11:05:52 (15y 248d)
Mar 22, 2009 - 11:05:52 (15y 248d)
Hey Z,
I understand your worries concerning Mebroot variants,
but since Meterpreter is only a tool for creating scripts AVers can't take the signature from the tool (or maybe as an "hacktool", best they can do) or it will only be detected on the hackers boxen, to be effective they have to take a signature from the generated scripts that is present on the hacked machine, pain in the arse since you do what you want as script.
Add to this that AV mainly detect a malware from signature than from behaviour...they don't have it ? they don't see it. 8)
I understand your worries concerning Mebroot variants,
but since Meterpreter is only a tool for creating scripts AVers can't take the signature from the tool (or maybe as an "hacktool", best they can do) or it will only be detected on the hackers boxen, to be effective they have to take a signature from the generated scripts that is present on the hacked machine, pain in the arse since you do what you want as script.
Add to this that AV mainly detect a malware from signature than from behaviour...they don't have it ? they don't see it. 8)
Global Rank: 172
Totalscore: 115513
Posts: 166
Thanks: 164
UpVotes: 121
Registered: 16y 272d
Last Seen: 1y 83d
The User is Offline
What are the AV vendors doing???
Mar 22, 2009 - 11:42:33 (15y 248d)
Mar 22, 2009 - 11:42:33 (15y 248d)
The second executable, which I called meterpreter, was not the tool to create the malware/trojan, but it was the trojan payload itself. And yes, signature based scanning is dead, but that is the point of my question: if it is dead, why dont they do their job well? I dont care if they run the malware in 60 simulated environment in order to detect whether it is harmful or not, but do their job: protect the users against malware. Nowadays AV tests like with words 100% makes me cry...
Global Rank: 4601
Totalscore: 3765
Posts: 5
Thanks: 4
UpVotes: 1
Registered: 16y 280d
Last Seen: 15y 64d
The User is Offline
What are the AV vendors doing???
Mar 22, 2009 - 14:36:01 (15y 248d)
Mar 22, 2009 - 14:36:01 (15y 248d)
Well it's entirely a business and economic model question... Efficiently stopping a malware doesn't help selling AV, pumping up detection rates does. The real question is, is it intentional. Imho VXers are doing a far better job all things considered than AVers: messing with winternals while staying stealth is a bit more complicated than detecting false positives once a day to catch users attention, slowing a system by checking sig updates in antarctic and simply deleting whats considered as "malicious"..but the latter ones are the good guys, aren't they ?
Last edited by Silkut - Mar 22, 2009 - 14:37:15
Silkut, tunelko, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 3066 times.
1 people are watching the thread at the moment.
This thread has been viewed 3066 times.