2010年3月25日 星期四

FW: NEWSBANK :: Antivirus and False Positives

From: Juan Castro (SAL-LA)
Sent: Friday, March 26, 2010 7:32:35 AM
To: Newsbank
Subject: NEWSBANK :: Antivirus and False Positives
Auto forwarded by a Rule

Source: http://stopmalvertising.com/news/antivirus-and-false-positives


Antivirus and False Positives


Written by Kimberly   

Friday, 26 March 2010 08:01


Antivirus and FP

Thursday, March 25, 2010 by S!Ri

Source: http://siri-urz.blogspot.com/2010/03/antivirus-and-fp.html


I did a test on Virus Total Online Scanner with an inoffensive ASM code.

This is the source code:



.model flat, stdcall

option casemap:none

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc

includelib \masm32\lib\kernel32.lib




    Push 0

        CALL ExitProcess

end start


And this is what the compiled binary looks like


00401000 >/$  6A 00         PUSH 0                                   ; /ExitCode = 0

00401002  \.  E8 01000000   CALL jmp.kernel32.exitprocess         ; \ExitProcess

00401007      CC            INT3

00401008   .- FF25 00204000 JMP DWORD PTR DS:[<kernel32.ExitProcess>];  kernel32.ExitProcess


The program just exit itself. No more, no less.
Few years ago, the result on VT was: 3/33 with suspicious Virus Names. Today, the result is
10/42 for this Exit Program.


a-squared 2010.03.25 Backdoor.Poisonivy.E!IK
AhnLab-V3 2010.03.25 -
AntiVir 2010.03.25 -
Antiy-AVL 2010.03.24 -
Authentium 2010.03.25 -
Avast 4.8.1351.0 2010.03.24 -
Avast5 5.0.332.0 2010.03.24 -
AVG 2010.03.25 BackDoor.PoisonIvy.AD
BitDefender 7.2 2010.03.25 -
CAT-QuickHeal 10.00 2010.03.25 -
ClamAV 2010.03.25 -
Comodo 4378 2010.03.25 -
DrWeb 2010.03.25 -
eSafe 2010.03.24 -
eTrust-Vet 35.2.7387 2010.03.25 -
F-Prot 2010.03.24 -
F-Secure 9.0.15370.0 2010.03.25 -
Fortinet 2010.03.24 -
GData 19 2010.03.25 -
Ikarus T3. 2010.03.25 Backdoor.Poisonivy.E
Jiangmin 13.0.900 2010.03.25 -
K7AntiVirus 7.10.1004 2010.03.22 Trojan.Win32.Xorpix
Kaspersky 2010.03.25 -
McAfee 5930 2010.03.24 -
McAfee+Artemis 5930 2010.03.24 Artemis!CD73D32FC69E
McAfee-GW-Edition 6.8.5 2010.03.25 -
Microsoft 1.5605 2010.03.25 -
NOD32 4972 2010.03.24 -
Norman 6.04.10 2010.03.24 -
nProtect 2009.1.8.0 2010.03.25 -
Panda 2010.03.24 -
PCTools 2010.03.25 -
Prevx 3.0 2010.03.25 High Risk System Back Door
Rising 2010.03.25 -
Sophos 4.52.0 2010.03.25 Mal/Generic-A
Sunbelt 6075 2010.03.25 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.25 Suspicious.Insight

TheHacker 2010.03.24 -
TrendMicro 2010.03.25 -
VBA32 2010.03.25 -
ViRobot 2010.3.25.2243 2010.03.25 -
VirusBuster 2010.03.24 Backdoor.Poisonivy.MM

Information additionnelle
File size: 1536 bytes
MD5...: cd73d32fc69e10e9f4b7c736cfaf2f22
SHA1..: acfa9c1beadfd9021552fe962029d00aea25221a
SHA256: cbe4ce3d527e6d6c0d0c94e9cf5e8b064c4205e35fc31ee99bfd04dfe50c1464
ssdeep: 3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpfLj4UTqQat4ll/ml8UTXlAkQ9dlllNl/

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x46ca8aeb (Tue Aug 21 06:49:15 2007)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe 0x200 0.16 b429b070d0408908f37618354c81acb1
.rdata 0x2000 0x54 0x200 0.62 9469b36bdb6e6a481f3d64647c84b836

( 1 imports )
> kernel32.dll: ExitProcess

( 0 exports )

RDS...: NSRL Reference Data Set
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14</a>

This test was done with an unpacked binary. Using a packer increase the results: 27/42 with FSG and 25/41 with MEW. Various Trojan names were listed such as: Vundo, Trojan-Downloader, Backdoor/RBot and so on.

With packed versions, some AV are detecting the file because of an heuristic routine: Trojan.Generic, Win32.Suspicious, Mal/EncPk-BA, Cryp_MEW-11.

Take care with Antivirus Results and learn to decode Trojan Names.

PS: I've edited the post, writing the conclusion in bold. Some people misinterpret this post: this is just a fun test, not a attack against AV vendors.

While I see S!Ri's post as educational (which was its intention), some antivirus companies don’t seem to perceive it like that unfortunately. It is not always easy for antivirus services to create detections but when you see that a harmless piece of code has been labeled PoisonIvy or High Risk Backdoor, I think it’s the perfect example of why you should always use your common sense instead of blindly relaying on antivirus definitions and their associated program with default settings.

False detections sooner or later lead to mini disasters (often accompanied by a financial cost to render the computer usable again) especially for unsavy users when critical system files get deleted.

·         Norton AntiVirus software detects a new 'virus': Microsoft Windows - and disables it

·         Kaspersky inadvertently quarantines Windows Explorer

Or more recently the Faulty Update for 64 bit Operating Systems. Not everyone is able to use the Windows Recovery option from the OS CD. Some ship with a recovery partition, not a bootable CD. Its nice to set up a page with recovery instructions but my PC just crashed and is now unbootable remember ... at this stage there's even 99% of chance that I wont be able to tell what did render it unsuable anyway.


A couple simple guidelines will save you already a lot of trouble.

·         Keep your system up to date and tighten your browser’s security. Disable useless Add-Ons, uninstall them. Get rid of those so called helper toolbars, many have vulnerabilities and those are exploited daily by malware writers to push malware on your computer.

·         Get your news from legitimate news websites rather than from any site popping up in your search results.

·         Exercise caution on the sites visited using your browser, hover over the links so that you see where you are going next.

·         Be careful with links in email and chat messages even if they come from your friends, ask yourself the question “Would they send that me” first, re-check with your friend on the legitimacy of the message instead of blindly following the link.

·         Don’t open attachments from persons you don’t trust and exercise caution with those from friends. Remember, they can be infected with a spambot and thus send out copies to the contact list.

·         If you get an email from your bank asking you to enter personal details, change a password etc … online, double check that the email really originated from them, give them a call eventually especially if you didn’t ask for a password reset or detail change. As a general rule try not to follow links in your mail, go to the website instead. If you absolutely need to follow the link, make sure that you will end up where you expected to be.

As for the anti-virus settings … don’t allow a file to be deleted, take control of your computer. If you are in doubt, upload the file to a service like virustotal. Seek assistance on the forums if you have trouble grabbing the file but don’t exclusively relay on a binary decision, on a piece of code that has no common sense at all, just 0 and 1‘s.





Juan Pablo Castro | xSP, Latin America Region

Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico

Office: +52.55.3067.6013 | Mobile: +