Detection within Installation files

[Art]

Addendum:

After submitting another two infected installation packages, I received the
following feedback this AM....

"I understand your concern and will pass along your feedback to the Engine team.
In the meantime, On Access scanning provides protection against those components
carried within the installer as soon as they hit the disk independently (prior to
execution)."
craig_schmugar<at>avertlabs.com

Uh huh. So far, I've determined that KAV, NOD32 and Bit Defender have
the extraction capability and can alert to multiple malwares within
install files (at least in some cases) when used on-demand. The plot
thickens (as usual) because of the "at least in some cases" clause. I
don't yet know whether or not scanner x fails to alert at all because
it can't decompress a particular install or if it simply doesn't have
detection of the included malwares. And there's the issue that some
av will have a sig for the install file itself. So evaluation is
rather involved. But what else is new? That's the way it goes.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Art]

Here's one rather interesting result:

web site: http://www.openwares.org/
install file: emule-1.08.exe
data002 Trojan.Win32.VB.wh (KAV)
Win32/VB.NAT Trojan (NOD32)
data 003 Adware.Win32.MediaBack.a (KAV)
Win32/Adware.MediaBack application (NOD32)

Uploaded to Virus Total. No other av alert. But KAV and NOD32
agree there's one Adware and one Trojan in the install file.

Notice the claims at this web site. All files are allegedly scanned
and determined to be free of any kind of malicious code and
spyware, etc. They may well even believe that to be true!

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Art]

One kind of test of scanners that seems to be rare is that of their

ability to detect a variety of malware "within" install files.
Catching malware prior to installation is obviously a important
preventative.

I used a list of rogue web sites:

http://kppfree.altervista.org/spylist.htm

Below is a short list of twenty rogue install/setup files containing
a variety of Adware and Trojans. In addition to KAV, which finds
malware in all of these, I've also looked at several other av
scanners. Dr Web and Bit Defender show signs of at least making
attempts at scanning "within" these files, and they both alert on a
few. NOD32 seems to just skip most of them without showing signs of a
"scan within" capability except for the few it alerts on. Sophos
Personal has a Advanced setting which implies the capability, but it
finds nothing in any of the files.

http://www.twistermp3.com/twister.htm
twisterfree.exe
http://www.01smith.com/home/01smithpage.htm
mp3finder.exe
http://www.openwares.org/
emule-1.08.exe
http://www.jubster.com
jubster.exe
http://www.kazaabuddy.net
kazaabuddy-setup.exe
http://www.freetrialdownloads.com
ldm-setup.exe (LimeWire download manager 4.2.6)
http://www.mp3hitmachine.com/mp3jukebox
amazingmp3playerfree.exe
http://www.snappertools.com
aresclientfree.exe
morphclientfree.exe
firestormfree.exe
http://www.binartisan.com
artisanburner.exe (DVD burner)
artisanplayer.exe (DVD player)
http://www.npsoftware.com
2findmp3free.exe
http://128.121.62.113/home/songoog/?D=A
setup.exe.2.17
http://www.kazaa-download-manager.com
kdm-setup.exe
http://www.mp3musicsearch.net
mp3ms.exe
http://www.kazaap.org/
kazaap-3.6.exe
http://www.kiwialpha.com/
kiwialphafree.exe
http://www.grokster.com/
grokster_installer.exe
http://downloads.vnunet.com/download/kazaa/kazaa+preview+extractor+1.2/_1053.html
kpe12.exe (Kazaa Preview Extractor)

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Ian Kenefick]

Below is a short list of twenty rogue install/setup files containing
a variety of Adware and Trojans. In addition to KAV, which finds
malware in all of these, I've also looked at several other av
scanners. Dr Web and Bit Defender show signs of at least making
attempts at scanning "within" these files, and they both alert on a
few. NOD32 seems to just skip most of them without showing signs of a
"scan within" capability except for the few it alerts on. Sophos
Personal has a Advanced setting which implies the capability, but it
finds nothing in any of the files.

http://www.twistermp3.com/twister.htm
twisterfree.exe
http://www.01smith.com/home/01smithpage.htm
mp3finder.exe
http://www.openwares.org/
emule-1.08.exe
http://www.jubster.com
jubster.exe
http://www.kazaabuddy.net
kazaabuddy-setup.exe
http://www.freetrialdownloads.com
ldm-setup.exe (LimeWire download manager 4.2.6)
http://www.mp3hitmachine.com/mp3jukebox
amazingmp3playerfree.exe
http://www.snappertools.com
aresclientfree.exe
morphclientfree.exe
firestormfree.exe
http://www.binartisan.com
artisanburner.exe (DVD burner)
artisanplayer.exe (DVD player)
http://www.npsoftware.com
2findmp3free.exe
http://128.121.62.113/home/songoog/?D=A
setup.exe.2.17
http://www.kazaa-download-manager.com
kdm-setup.exe
http://www.mp3musicsearch.net
mp3ms.exe
http://www.kazaap.org/
kazaap-3.6.exe
http://www.kiwialpha.com/
kiwialphafree.exe
http://www.grokster.com/
grokster_installer.exe
http://downloads.vnunet.com/download/kazaa/kazaa+preview+extractor+1.2/_1053.html
kpe12.exe (Kazaa Preview Extractor)

Thanks for the post Art. I will run these through my NOD32 and let ye
knwo what happens. Anything not detected will be submitted to their
lab.

 

[Art]

Thanks for the post Art. I will run these through my NOD32 and let ye
knwo what happens. Anything not detected will be submitted to their
lab.

Remember this is all about on-demand scanning so you can see what's
going on.

NOD32 has to be set to Advanced Heuristics. Also, to see whether or
not it seems to be extracting you have to set it to scan all files.
That way, when it can't handle extraction (apparently) you'll see it
simply put out a "OK" message after basically just skipping over the
file. When it can extract, you'll see the evidence of it ... it puts
out messages as it scans files "within".

You should see it able to extract and find malware on four of the
twenty files.

The problem with NOD32 seems more than just the inability to detect
some of the Adware KAV detects. It looks to me like it has severe
extraction engine limitations. So does Dr Web, though the extraction
engine problem is of a different kind. It gives a error on one file
"Compression ratio too large". IOW, it tries like hell and it
basically does extract on all the files, but it can't handle some of
the compressions the way KAV can. KAV is simply marvelous compared to
other scanners.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Ian Kenefick]

but it can't handle some of
the compressions the way KAV can. KAV is simply marvelous compared to
other scanners.

Agreed! KAV engine is built around FAR Manager from rarlab. There
isn't much is can't find. I found this info out not so long ago when
talking to an AV'er about different engines. Interesting eh

P.S. I snipped a lot but I am doing as you mentioned

 

[Virus Guy]

Below is a short list of twenty rogue install/setup files
containing a variety of Adware and Trojans.
Dr Web and Bit Defender show signs of at least making
attempts at scanning "within" these files

Kaspersky is the clear winner here, and BitDefender comes in a close
second. AntiVir/Avira ranks third.

KDM-Setup.exe
BitDefender 7.2 10.04.2005 Application.Webhancer.AI
CAT-QuickHeal 8.00 10.02.2005 TrojanDownloader.Small.asf
Kaspersky 4.0.2.24 10.04.2005 Trojan-Downloader.Win32.Small.asf
NOD32v2 1.1240 10.03.2005 Win32/Adware.Webhancer.A

LDM-Setup.exe
BitDefender 7.2 10.04.2005 Trojan.Downloader.Adload.A
Fortinet 2.48.0.0 10.04.2005 W32/Adload.A-dldr
Kaspersky 4.0.2.24 10.04.2005 Trojan-Downloader.Win32.Small.asf
NOD32v2 1.1240 10.03.2005 Win32/TrojanDownloader.Adload.A.gen

KazaaBuddy-Setup.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.bo

kpe12.exe
BitDefender 7.2 10.04.2005 Application.Whenu.J
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.d

kb.exe
limeclientfree.exe
(nobody found nothin)

twisterfree.exe
mp3finder.exe
firestormfree.exe
amazingmp3playerfree.exe
artisanplayer.exe
artisanburner.exe
kiwialphafree.exe
morphclientfree.exe
aresclientfree.exe
Kaspersky 4.0.2.24 10.04.2005
not-a-virus:Server-Proxy.Win32.MarketScore.k
See here for more info:
http://shield.prevx.com/pxparall.asp?PXC=f6fd384544

mp3ms.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
BitDefender 7.2 10.04.2005 Application.Adware.NewDotNet.B.Dropper
CAT-QuickHeal 8.00 10.02.2005 AdWare.NewDotNet (Not a Virus)
ClamAV devel-20050917 10.04.2005 Adware.NewDotNet.B-4
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.NewDotNet
McAfee 4595 10.03.2005 potentially unwanted program Generic Adware

Jubster.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
BitDefender 7.2 10.04.2005 Adware.Whenu.Savenow.E
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.bo

setup.exe.2.17
BitDefender 7.2 10.04.2005 Application.Navexcel.B
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.NavExcel.d

 

[Virus Guy]

So, like, is there an extractor for these files?

WinRAR doesn't do it.

 

[Art]

Kaspersky is the clear winner here, and BitDefender comes in a close
second. AntiVir/Avira ranks third.

Other than the fact that KAV is the clear winner, I don't concur with
your other conclusions. There are no "close" seconds. If anything, Dr
Web takes 2nd place since it alerted on more install files than any
other product other than KAV.

KDM-Setup.exe
BitDefender 7.2 10.04.2005 Application.Webhancer.AI
CAT-QuickHeal 8.00 10.02.2005 TrojanDownloader.Small.asf
Kaspersky 4.0.2.24 10.04.2005 Trojan-Downloader.Win32.Small.asf
NOD32v2 1.1240 10.03.2005 Win32/Adware.Webhancer.A

LDM-Setup.exe
BitDefender 7.2 10.04.2005 Trojan.Downloader.Adload.A
Fortinet 2.48.0.0 10.04.2005 W32/Adload.A-dldr
Kaspersky 4.0.2.24 10.04.2005 Trojan-Downloader.Win32.Small.asf
NOD32v2 1.1240 10.03.2005 Win32/TrojanDownloader.Adload.A.gen

KazaaBuddy-Setup.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.bo

kpe12.exe
BitDefender 7.2 10.04.2005 Application.Whenu.J
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.d

kb.exe
limeclientfree.exe
(nobody found nothin)

twisterfree.exe
mp3finder.exe
firestormfree.exe
amazingmp3playerfree.exe
artisanplayer.exe
artisanburner.exe
kiwialphafree.exe
morphclientfree.exe
aresclientfree.exe
Kaspersky 4.0.2.24 10.04.2005
not-a-virus:Server-Proxy.Win32.MarketScore.k
See here for more info:
http://shield.prevx.com/pxparall.asp?PXC=f6fd384544

mp3ms.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
BitDefender 7.2 10.04.2005 Application.Adware.NewDotNet.B.Dropper
CAT-QuickHeal 8.00 10.02.2005 AdWare.NewDotNet (Not a Virus)
ClamAV devel-20050917 10.04.2005 Adware.NewDotNet.B-4
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.NewDotNet
McAfee 4595 10.03.2005 potentially unwanted program Generic Adware

Jubster.exe
AntiVir 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
Avira 6.32.0.6 10.03.2005 ADSPY/Save.BO.3.A.1
BitDefender 7.2 10.04.2005 Adware.Whenu.Savenow.E
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.SaveNow.bo

setup.exe.2.17
BitDefender 7.2 10.04.2005 Application.Navexcel.B
Kaspersky 4.0.2.24 10.04.2005 not-a-virus:AdWare.Win32.NavExcel.d

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Art]

So, like, is there an extractor for these files?

WinRAR doesn't do it.

Probably, but I'm not aware of any.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Jeffrey F. Bloss]

Agreed! KAV engine is built around FAR Manager from rarlab. There
isn't much is can't find. I found this info out not so long ago when
talking to an AV'er about different engines. Interesting eh

The sad thing is, that ability to reach deep inside different file formats
seems to have caused some problems...

http://www.rem0te.com/public/images/kaspersky.pdf



--
Hand crafted on October 04, 2005 at 02:07:41 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[Ian Kenefick]

The sad thing is, that ability to reach deep inside different file formats
seems to have caused some problems...

http://www.rem0te.com/public/images/kaspersky.pdf

Kaspersky isn't on it's own here.

http://www.rem0te.com/frame/rem_index.htmlhttp://www.rem0te.com/frame/rem_index.html

 

[Ian Kenefick]

The sad thing is, that ability to reach deep inside different file formats
seems to have caused some problems...

http://www.rem0te.com/public/images/kaspersky.pdf

Here is the reply I got from Kaspersky Lab.

Dear Ian.

Yes, we confirm that product can be crashed througth this heap
overflow. Vulnerability is described on the public sources, however
there is no exploit in the wild so far. Vulerable cab.ppl will be
replaced ASAP, at the moment we are testing the fixed version of this
module.

In the meantime we have added additional record to our virus
definitions database. All malformed CAB files which can exploit this
vulnerability will be detected as Exploit.Win32.Cab.

Until the fixed version of this PPL is not released publicly,
vulnerable code still exists in our products but it can not be
exploited 'cause the engine will detect this exploit before it will be
sent to the vulnerable cab.ppl. So, our customers are already
protected from this vulnerability.

We will release official press-release today. The patch will be
available at 5th october.

Kind regards,
Andrey Kizikov
International Technical Support Service
Kaspersky Labs Russia

 

[tpwuk]

Other than the fact that KAV is the clear winner, I don't concur with
your other conclusions. There are no "close" seconds. If anything, Dr
Web takes 2nd place since it alerted on more install files than any
other product other than KAV.




Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

www.themexp.org appears to be offering a free copy of Adware-NewDotNET
with anything downloaded with a red astrix at the side of the downloads
name. I haven't tested for a false positive, but i know it went straight
past AVG free edition. BitDefender blocks the download as soon as it has
completed. Needless to say i am impressed with BD.

TpwUK

 

[Art]

www.themexp.org appears to be offering a free copy of Adware-NewDotNET
with anything downloaded with a red astrix at the side of the downloads
name. I haven't tested for a false positive, but i know it went straight
past AVG free edition. BitDefender blocks the download as soon as it has
completed. Needless to say i am impressed with BD.

Careful. They appear to be offering more than just that. KAV detects
two different Adwares and one Trojan in all eight of the .EXE files
there. BF only detects one of the Adwares. NOD32 detects nothing.

Do not check for false positives by means of running any of these on
your PC unless you want to use it as a goat. I'll figure out some way
of checking on KAV's findings even if I have to submit one of the
files to Kaspersky for analysis.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[Jeffrey F. Bloss]

Kaspersky isn't on it's own here.

Sorry, I didn't mean to give the impression that I was singling out KAV,
although in retrospect that's exactly what i did. KAV is in my opinion one
of the best, and has been as long as I've been aware of the existence of
general AV softwares. That's quite a long time, to be sure.

What I was *really* trying to point out is that the more complex something
gets the more likely it is to break. This KAV example is a glaring one and
current, but far from the only example or even the most striking. Anyone
remember the 4 lines of code that could "switch off" Mcafee?

Judging AV software by how deep inside an archive it can dig is a bit
foolish. That ability is far from the most important feature an AV software
can possess, and to be technically precise, the ability to scan inside
archives at all is something that can be compensated for by users.

It's important to realize that a little education and prudence is FAR more
important than the latest Whiz-Bang graphical feature or "deep scan"
gimmick. We place far too much importance in the latter.

--
Hand crafted on October 04, 2005 at 20:42:24 -0400

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.
-Groucho Marx

 

[tpwuk]

Art wrote:

Careful. They appear to be offering more than just that. KAV detects
two different Adwares and one Trojan in all eight of the .EXE files
there. BF only detects one of the Adwares. NOD32 detects nothing.

Do not check for false positives by means of running any of these on
your PC unless you want to use it as a goat. I'll figure out some way
of checking on KAV's findings even if I have to submit one of the
files to Kaspersky for analysis.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

Thanks for the heads up Art

TpwUK

 

[Art]

www.themexp.org appears to be offering a free copy of Adware-NewDotNET
with anything downloaded with a red astrix at the side of the downloads
name. I haven't tested for a false positive, but i know it went straight
past AVG free edition. BitDefender blocks the download as soon as it has
completed. Needless to say i am impressed with BD.

Ok, I'm getting confirmation from Dr Web antivirus which also finds
two Adwares and one downloader Trojan. I had previously sent a email
to Kaspersky asking them to confirm that KAV isn't false alarming ...
but it looks like it's not. I'm going to notify the owner of the web
site and inform him or her that if these files aren't promptly removed
and replaced with clean ones, I will take further steps. It's the
downloader Trojan I'm conerned about. KAV calls it
Trojan-Downloader.Win32.Small.bke
I dunno what it does yet but it doesn't sound good

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

 

[tpwuk]

Ok, I'm getting confirmation from Dr Web antivirus which also finds
two Adwares and one downloader Trojan. I had previously sent a email
to Kaspersky asking them to confirm that KAV isn't false alarming ...
but it looks like it's not. I'm going to notify the owner of the web
site and inform him or her that if these files aren't promptly removed
and replaced with clean ones, I will take further steps. It's the
downloader Trojan I'm conerned about. KAV calls it
Trojan-Downloader.Win32.Small.bke
I dunno what it does yet but it doesn't sound good

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc

Well the saddening thing is the declaration that the authors of whats on
offer from the site have given their concent for the site to wrap their
hard work with adware and trojans ... I feel confident that those
authors have not concented to this form of action from those involved.
Good luck with contacting the site i did try via the link provided but
as of yet have received no response, even more annoying after their pp
states

Security

This site has security measures in place to protect the loss, misuse, and alteration of the information under our control.

I will drop the subject here as it may pull off topic.
All the best

TpwUK

 

[Art]

Judging AV software by how deep inside an archive it can dig is a bit
foolish. That ability is far from the most important feature an AV software
can possess, and to be technically precise, the ability to scan inside
archives at all is something that can be compensated for by users.

It's important to realize that a little education and prudence is FAR more
important than the latest Whiz-Bang graphical feature or "deep scan"
gimmick. We place far too much importance in the latter.

The topic here is not archive scanning, as such, but the ability to
scan within setup and install .EXE files on-demand ... and the ability
to detect a wide variety of malware, including Adware and Spyware.

Since not everyone uses KAV they are unlikely to get a alert
on a on-demand scan of a install/setup file. They are thus dependent
on their realtime monitor to detect and block during the install
process. But that's a very "iffy" situation in many cases. They use
products that don't have the wide range of malware detections, for one
thing. They complain that KAV is too slow.

Point being that they'd be far better off using KAV on-demand for
scanning downloads. My KASFX (see my sig) is a free way for users to
add this capability.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc