Thunderbyte is often seen as the leader of the Anti-Virus software
market. Well, either that or F-Prot. In this article VLAD will have a good
look at some of it's features... and how to exploit them :)
Firstly let's take TBScan.
The AV are always raving on about TBScan and how it's given them the
upper-hand over the VX. I'll admit it's a good package and I use it
personally, but the point I want to make is that it's far from infallible
and it's easy to get around.
TBScan's heuristics works by _signature scanning_ for certain code
constructs. When it finds one - it flags it, and the more it flags the
more likely it's a virus. What Frans has done is found which bytes are
common to many viruses and he scans for them. He does no code tracing
at all! This means he scans data that isn't even executed!
The obvious solution to this is encryption! A recent Thunder-Byte
press release claimed that TBAV6.20 has new advanced features for detecting
and undoing polymorphism and encryption. The fact is that TBScan does
SWEET FUCK ALL! It can't even pick up a basic XOR let alone polymorphics!
If you don't beleive me why don't you try scanning one of my viruses.
(You'll pick a few things with the first generation of viruses but
thereafter you'll find nothing)
As I said earlier TBAV is a good product, but it's not the 'solution'
to viruses that people make out.
The last thing you do after getting the code for your new virus working
is add the small modifications needed to get it past heuristics. After
adding the encryption (a must) scan your virus and see what it flags.
It'll probably only be a few things... flexible entry point, and encryption
are the two most likely. These two routines can't be encrypted like the
others. Flexible entry point is normally flagged by the code used to get
the IP:
call next
next:
pop si ;or anything
sub si,offset next
Just remember that whenever you 'call' that the IP is push'ed on the
stack (SS:SP) and that there are heaps of methods of getting it off. Check
my source to see what I do.
TBScan's code for detecting encryption is just plain flakey so I don't
even bother putting in any code for that! It just doesn't seem to pick it
up!
Let's move onto TBSetup.
Well... what can I say about this ? It's method of protecting your
files is by writing those annoying little ANTI-VIR.DAT files all over your
computer. Do I even need to go into the obvious way of getting around
this ? Delete them! Next time the user runs TBSetup it'll happily add
your virus infected files to a new ANTI-VIR.DAT This is the huge flaw
(which I can't see a way of getting around) in all CRC checking software.
Just delete the database! Think of all the extra disk space you'll save
the user! :) You're doing them a favour! :)
The AV can change their 16 bit CRC's to 32 bit CRC's to 64 bit CRC's -
we'll just delete their information every time!
It's time for TBClean.
TBClean is an extremely advanced, interesting piece of software. But
it has one fatal flaw. It is extremely easy to fool! Just check 40Hex??
for their article on anti-debugging techniques to work out how to fool it.
(TBClean works _exactly_ the same as a debugger)
Everyone should have a play with TBClean. Once you get the
anti-debugging code going you can do anything. Have a good laugh as you
jump straight into the video segment and TBClean executes it for ages then
creates a 60k .COM file that began as 45 bytes! (Happened to me!)
Check my virii sources for code to trick TBClean.
There's only one more thing that people can do to make TBAV worthless
and that's not infecting 'TB*.EXE'. Even if it does infect them they won't
execute so then they are useless.
Anyway that's enough dumping on TBAV for now. It's still better than
most of the stuff on the market - I could puke on McAfee! I hope Franz is
really annoyed!
ADDENDUM!
+-------+
Just a quick addition to that article. Yesterday TBAV621 came out and
I was happy to see Daddy Incest not being scanned. The heuristics still
don't flag a thing but with the original unencrypted dropper version
TBScan in high heuristic mode flags the following things:
~~~
C:\ASM\DADDY\DADDY.COM
might be infected by an unknown virus
c No checksum / recovery information (Anti-Vir.Dat) available. cFAL
C The checksum data does not match! File has been changed!
R Relocator. Program code will be relocated in a suspicious way.
N Wrong name extension. Extension conflicts with program structure.
D Disk write access. The program writes to disk without using DOS.
~~~
and down the bottom it shows the flags set as:
~~~
DADDY.COM scanning...> cFAL X
~~~
First thing you'll notice is that the flags picked up aren't the ones
shown.
~~~
DADDY.COM scanning...> cFAL X
~~~ ^^^^
cFAL is different to the cCRND shown up the top.
Secondly it gives this stupid error:
~~~
c No checksum / recovery information (Anti-Vir.Dat) available. cFAL
C The checksum data does not match! File has been changed!
~~~
What sort of error is this ? No checksum, checksum doesn't match ?!
How can a checksum not match if there isn't a checksum ?
Next is this:
~~~
N Wrong name extension. Extension conflicts with program structure.
~~~
This is a proper COM file here! Dunno what he's on about...
Finally:
~~~
D Disk write access. The program writes to disk without using DOS.
~~~
Huh ? No int13h's here! Not even an int26h! Good programming Franz.
Also on another clean file I got this error:
~~~
C:\COOLSPOT\TRSI!CSF.EXE
might be infected by an unknown virus
c No checksum / recovery information (Anti-Vir.Dat) available. cJGK
C The checksum data does not match! File has been changed!
? Inconsistent exe-header. Might be a virus but can also be a bug.
U Undocumented interrupt/DOS call. The program might be just tricky
but can also be a virus using a non-standard way to detect itself.
Y Bootsector violates IBM bootsector format. Missing 55AA-marker.
~~~
Y Bootsector violates IBM bootsector format. Missing 55AA-marker.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What!!!? This is a file for gods sake! The bootsector is only one sector
on the entire harddisk, what's TBScan doing even bothering to look for it
inside a file ? And how in hell could it pick it up ?!!!
I cringe to think what some computer illiterate user would think of such
an error message. Would probably have a heart attack!
Enough harping for now...
- VLAD #1 INDEX -