Symatec Antivirus reports mchInjDrv.sys as virus thread

[XanSama]

A temporary soloution would be to modify the driver so it was no longer detected (Usualy just moving some code around, renaming some functions, and changing linker settings does the trick.)

[madshi]

Yes, but that would require a recompilation of all software that uses madCodeHook...

[Markham]

A temporary soloution would be to modify the driver so it was no longer detected (Usualy just moving some code around, renaming some functions, and changing linker settings does the trick.)

That depends entirely on how it is being detected. If it's by its signature (i.e. a binary sequence of bytes), then yes, that approach would work but only for as long as it takes Symantec to update its definition files. But I suspect the driver has triggered some form of heuristic analysis in which case such an approach as moving code around probably won't work.


Mark

[trafficlights7]

Please everybody submit a review request to :
https://submit.symantec.com/security_risks/dispute/

[iconic]

AV detections usually crumble after you move around some code with equivalent instructions. 29A's Z0MBiE has written a code permutator to do just this, although mostly trojan/rootkit authors use it to avoid positive detections it's a great tool to modify the binary form without the need to have access to the source code and recompile to get passed detection. Madshi's approach by contacting them directly is much more professional of course, and the more of us that complain and try to petition the false-positive on his injection driver the better.

Just my 2 cents.

--Iconic

[Arksole Hoax]

AV detections usually crumble after you move around some code with equivalent instructions. 29A's Z0MBiE has written a code permutator to do just this, although mostly trojan/rootkit authors use it to avoid positive detections it's a great tool to modify the binary form without the need to have access to the source code and recompile to get passed detection. Madshi's approach by contacting them directly is much more professional of course, and the more of us that complain and try to petition the false-positive on his injection driver the better.

Just my 2 cents.

--Iconic

there is the tool "morphine" from holy_father, which does some scrambling too. although the freeware version gets picked up by all av's.

[uall]

@Arksole Hoax

Every Morphine crypted file is detected a Virus. Because HolyFather is coding viruses. Therefore every normal (not virus) crypted program with Morphine is deteced as virus.

I have created a simple execrypter, which is not deteced by AVs. And every crypted executable (virus, trojan etc.) is not being detected anymore.

It so easy to trick every AV. They are all that stupid ;>

Btw.: I have created a simple 'Unmorphine', so you can uncrypt the 'Morphine' crypted files. Most AVs are doing that for packed files (like UPX).

[madshi]

I've read in another forum that the faulty detection was removed in the meanwhile. Can anybody confirm that? Unfortunately Norton/Symantec doesn't seem to work at all on my development PC, so I've a hard time testing it.

[Arksole Hoax]

@uall:

im thinking of crypting exe's with "commercial" morphine so it is extra protection against reverse engineering maybe ?



i send a query to Symantec too and everyone else should too.
i will now install norton AV. lemme check if its still detected.

[uall]

If an executbale is crypted with morphine, a

PUSHFD
XOR EAX, EAX
JMP XXX

or somehting liek this is on the beginning of the entrypoint. (The decryption code)

Now they dont detect the crpyted file. The AVs detects this PUSHFD... and know that this file is crypted with morphine -> its a virus. It doesnt matter if this is a normal programm, if its crypted with morphine its a virus for the AVs. The only problem is the detection of the encrypter inside the crypted file.
Maybe the commercial version of morhpine hasnt a PUSHFD on the entry point, or special flags inside the PE header.

So its really easy coding a crypter which is not detected or making some virus AV proof. This can be done by every script kiddie which has the source of a crypter or the source of a virus.

All AVs = bullshit. They all earn money, but everyone of them knew that everythink can be bypassed in some minutes. Only Kaspersky have said this in a statement, all other AV companys are still saying that their AV cant be bypassed easily.

Edit:

Example:
http://uall.overclock.ch/AntiVir.rar

Only 1 check. Nice!

And i have lots of examples, making Optix etc. AV secure by chaning the EIP only...

[Arksole Hoax]

when surfing on the internet i stumbled on a new type of Heuristic AV,

i barely remember the name but it was something like "respledence" av or something like that. It has no signature scanner and works on the base of Hooking. So it first installs all kinds of hook's, and if a Exe wants to do something bad, it picks it up. Bad thing, that it only works for x86 and not x64

maybe this could help?

i personally dont fear viruses nor do i fear worms, but hey, these threats are there. Even if the AV's are bad, they are protecting the "dumb" user.
Just like the best encryption sheme wont protect the dumb user from chosing a bad password..

[Arksole Hoax]

@uall :

))))
fnop. thats cool. i tryed something similear with "nop" once, but it didnt worked. nice.

on 32 bit machines, i trust nod32 with high level heuristic scan enabled.
can you fool it too?

[Bardicrune]

I've read in another forum that the faulty detection was removed in the meanwhile. Can anybody confirm that? Unfortunately Norton/Symantec doesn't seem to work at all on my development PC, so I've a hard time testing it.

Nope. I updated the latest definition's from their site. (vd20f404.xdb) and it still detects the madchook.dll as being infected. However, this is the Daily definition file from 3/26/06. It may change later today.

[madshi]

That's the non-commercial madCHook.dll, is that correct?

In this thread we're talking about mchInjDrv.sys being detected, though, which is a different thing. The detection fires in the moment when you inject a dll system wide.

The non-commercial madCHook.dll detection might still be active, but the mchInjDrv.sys detection is hopefully gone.

[Bardicrune]

That's the non-commercial madCHook.dll, is that correct?

Yes, sorry about that. I didn't see the other thread on the non-commercial version. I downloaded the latest version of madcollection and that corrected the false positive. Thank you for making and supporting an excellent product.