Symatec Antivirus reports mchInjDrv.sys as virus thread
That depends entirely on how it is being detected. If it's by its signature (i.e. a binary sequence of bytes), then yes, that approach would work but only for as long as it takes Symantec to update its definition files. But I suspect the driver has triggered some form of heuristic analysis in which case such an approach as moving code around probably won't work.XanSama wrote:A temporary soloution would be to modify the driver so it was no longer detected (Usualy just moving some code around, renaming some functions, and changing linker settings does the trick.)
Mark
-
- Posts: 9
- Joined: Thu Jan 06, 2005 4:33 am
Symantec Security Risk Dispute Submission
Please everybody submit a review request to :
https://submit.symantec.com/security_risks/dispute/
https://submit.symantec.com/security_risks/dispute/
AV detections usually crumble after you move around some code with equivalent instructions. 29A's Z0MBiE has written a code permutator to do just this, although mostly trojan/rootkit authors use it to avoid positive detections it's a great tool to modify the binary form without the need to have access to the source code and recompile to get passed detection. Madshi's approach by contacting them directly is much more professional of course, and the more of us that complain and try to petition the false-positive on his injection driver the better.
Just my 2 cents.
--Iconic
Just my 2 cents.
--Iconic
-
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
there is the tool "morphine" from holy_father, which does some scrambling too. although the freeware version gets picked up by all av's.iconic wrote:AV detections usually crumble after you move around some code with equivalent instructions. 29A's Z0MBiE has written a code permutator to do just this, although mostly trojan/rootkit authors use it to avoid positive detections it's a great tool to modify the binary form without the need to have access to the source code and recompile to get passed detection. Madshi's approach by contacting them directly is much more professional of course, and the more of us that complain and try to petition the false-positive on his injection driver the better.
Just my 2 cents.
--Iconic
@Arksole Hoax
Every Morphine crypted file is detected a Virus. Because HolyFather is coding viruses. Therefore every normal (not virus) crypted program with Morphine is deteced as virus.
I have created a simple execrypter, which is not deteced by AVs. And every crypted executable (virus, trojan etc.) is not being detected anymore.
It so easy to trick every AV. They are all that stupid ;>
Btw.: I have created a simple 'Unmorphine', so you can uncrypt the 'Morphine' crypted files. Most AVs are doing that for packed files (like UPX).
Every Morphine crypted file is detected a Virus. Because HolyFather is coding viruses. Therefore every normal (not virus) crypted program with Morphine is deteced as virus.
I have created a simple execrypter, which is not deteced by AVs. And every crypted executable (virus, trojan etc.) is not being detected anymore.
It so easy to trick every AV. They are all that stupid ;>
Btw.: I have created a simple 'Unmorphine', so you can uncrypt the 'Morphine' crypted files. Most AVs are doing that for packed files (like UPX).
-
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
If an executbale is crypted with morphine, a
PUSHFD
XOR EAX, EAX
JMP XXX
or somehting liek this is on the beginning of the entrypoint. (The decryption code)
Now they dont detect the crpyted file. The AVs detects this PUSHFD... and know that this file is crypted with morphine -> its a virus. It doesnt matter if this is a normal programm, if its crypted with morphine its a virus for the AVs. The only problem is the detection of the encrypter inside the crypted file.
Maybe the commercial version of morhpine hasnt a PUSHFD on the entry point, or special flags inside the PE header.
So its really easy coding a crypter which is not detected or making some virus AV proof. This can be done by every script kiddie which has the source of a crypter or the source of a virus.
All AVs = bullshit. They all earn money, but everyone of them knew that everythink can be bypassed in some minutes. Only Kaspersky have said this in a statement, all other AV companys are still saying that their AV cant be bypassed easily.
Edit:
Example:
http://uall.overclock.ch/AntiVir.rar
Only 1 check. Nice!
And i have lots of examples, making Optix etc. AV secure by chaning the EIP only...
PUSHFD
XOR EAX, EAX
JMP XXX
or somehting liek this is on the beginning of the entrypoint. (The decryption code)
Now they dont detect the crpyted file. The AVs detects this PUSHFD... and know that this file is crypted with morphine -> its a virus. It doesnt matter if this is a normal programm, if its crypted with morphine its a virus for the AVs. The only problem is the detection of the encrypter inside the crypted file.
Maybe the commercial version of morhpine hasnt a PUSHFD on the entry point, or special flags inside the PE header.
So its really easy coding a crypter which is not detected or making some virus AV proof. This can be done by every script kiddie which has the source of a crypter or the source of a virus.
All AVs = bullshit. They all earn money, but everyone of them knew that everythink can be bypassed in some minutes. Only Kaspersky have said this in a statement, all other AV companys are still saying that their AV cant be bypassed easily.
Edit:
Example:
http://uall.overclock.ch/AntiVir.rar
Only 1 check. Nice!
And i have lots of examples, making Optix etc. AV secure by chaning the EIP only...
Last edited by uall on Mon Mar 27, 2006 10:10 am, edited 1 time in total.
-
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
when surfing on the internet i stumbled on a new type of Heuristic AV,
i barely remember the name but it was something like "respledence" av or something like that. It has no signature scanner and works on the base of Hooking. So it first installs all kinds of hook's, and if a Exe wants to do something bad, it picks it up. Bad thing, that it only works for x86 and not x64
maybe this could help?
i personally dont fear viruses nor do i fear worms, but hey, these threats are there. Even if the AV's are bad, they are protecting the "dumb" user.
Just like the best encryption sheme wont protect the dumb user from chosing a bad password..
i barely remember the name but it was something like "respledence" av or something like that. It has no signature scanner and works on the base of Hooking. So it first installs all kinds of hook's, and if a Exe wants to do something bad, it picks it up. Bad thing, that it only works for x86 and not x64
maybe this could help?
i personally dont fear viruses nor do i fear worms, but hey, these threats are there. Even if the AV's are bad, they are protecting the "dumb" user.
Just like the best encryption sheme wont protect the dumb user from chosing a bad password..
-
- Posts: 211
- Joined: Sat May 08, 2004 11:41 am
-
- Posts: 2
- Joined: Mon Mar 27, 2006 3:23 pm
Nope. I updated the latest definition's from their site. (vd20f404.xdb) and it still detects the madchook.dll as being infected. However, this is the Daily definition file from 3/26/06. It may change later today.I've read in another forum that the faulty detection was removed in the meanwhile. Can anybody confirm that? Unfortunately Norton/Symantec doesn't seem to work at all on my development PC, so I've a hard time testing it.
That's the non-commercial madCHook.dll, is that correct?
In this thread we're talking about mchInjDrv.sys being detected, though, which is a different thing. The detection fires in the moment when you inject a dll system wide.
The non-commercial madCHook.dll detection might still be active, but the mchInjDrv.sys detection is hopefully gone.
In this thread we're talking about mchInjDrv.sys being detected, though, which is a different thing. The detection fires in the moment when you inject a dll system wide.
The non-commercial madCHook.dll detection might still be active, but the mchInjDrv.sys detection is hopefully gone.
-
- Posts: 2
- Joined: Mon Mar 27, 2006 3:23 pm