FW: NEWSBANK :: Antivirus and False Positives

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Friday, March 26, 2010 7:32:35 AM
To: Newsbank
Subject: NEWSBANK :: Antivirus and False Positives
Auto forwarded by a Rule

Source: http://stopmalvertising.com/news/antivirus-and-false-positives

 

Antivirus and False Positives

 

Written by Kimberly

Friday, 26 March 2010 08:01

Antivirus and FP Thursday, March 25, 2010 by S!Ri Source: http://siri-urz.blogspot.com/2010/03/antivirus-and-fp.html   I did a test on Virus Total Online Scanner with an inoffensive ASM code. This is the source code:   .386 .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib .data .code start:     Push 0         CALL ExitProcess end start   And this is what the compiled binary looks like   00401000 >/$  6A 00         PUSH 0                                   ; /ExitCode = 0 00401002  \.  E8 01000000   CALL jmp.kernel32.exitprocess         ; \ExitProcess 00401007      CC            INT3 00401008   .- FF25 00204000 JMP DWORD PTR DS:[<kernel32.ExitProcess>];  kernel32.ExitProcess   The program just exit itself. No more, no less. Few years ago, the result on VT was: 3/33 with suspicious Virus Names. Today, the result is 10/42 for this Exit Program.   a-squared 4.5.0.50 2010.03.25 Backdoor.Poisonivy.E!IK AhnLab-V3 5.0.0.2 2010.03.25 - AntiVir 7.10.5.210 2010.03.25 - Antiy-AVL 2.0.3.7 2010.03.24 - Authentium 5.2.0.5 2010.03.25 - Avast 4.8.1351.0 2010.03.24 - Avast5 5.0.332.0 2010.03.24 - AVG 9.0.0.787 2010.03.25 BackDoor.PoisonIvy.AD BitDefender 7.2 2010.03.25 - CAT-QuickHeal 10.00 2010.03.25 - ClamAV 0.96.0.0-git 2010.03.25 - Comodo 4378 2010.03.25 - DrWeb 5.0.1.12222 2010.03.25 - eSafe 7.0.17.0 2010.03.24 - eTrust-Vet 35.2.7387 2010.03.25 - F-Prot 4.5.1.85 2010.03.24 - F-Secure 9.0.15370.0 2010.03.25 - Fortinet 4.0.14.0 2010.03.24 - GData 19 2010.03.25 - Ikarus T3.1.1.80.0 2010.03.25 Backdoor.Poisonivy.E Jiangmin 13.0.900 2010.03.25 - K7AntiVirus 7.10.1004 2010.03.22 Trojan.Win32.Xorpix Kaspersky 7.0.0.125 2010.03.25 - McAfee 5930 2010.03.24 - McAfee+Artemis 5930 2010.03.24 Artemis!CD73D32FC69E McAfee-GW-Edition 6.8.5 2010.03.25 - Microsoft 1.5605 2010.03.25 - NOD32 4972 2010.03.24 - Norman 6.04.10 2010.03.24 - nProtect 2009.1.8.0 2010.03.25 - Panda 10.0.2.2 2010.03.24 - PCTools 7.0.3.5 2010.03.25 - Prevx 3.0 2010.03.25 High Risk System Back Door Rising 22.40.03.04 2010.03.25 - Sophos 4.52.0 2010.03.25 Mal/Generic-A Sunbelt 6075 2010.03.25 Trojan.Win32.Generic!BT Symantec 20091.2.0.41 2010.03.25 Suspicious.Insight TheHacker 6.5.2.0.242 2010.03.24 - TrendMicro 9.120.0.1004 2010.03.25 - VBA32 3.12.12.2 2010.03.25 - ViRobot 2010.3.25.2243 2010.03.25 - VirusBuster 5.0.27.0 2010.03.24 Backdoor.Poisonivy.MM Information additionnelle File size: 1536 bytes MD5...: cd73d32fc69e10e9f4b7c736cfaf2f22 SHA1..: acfa9c1beadfd9021552fe962029d00aea25221a SHA256: cbe4ce3d527e6d6c0d0c94e9cf5e8b064c4205e35fc31ee99bfd04dfe50c1464 ssdeep: 3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpfLj4UTqQat4ll/ml8UTXlAkQ9dlllNl/ /w:idq2Vg3F+X32Tj4HYlOFiHUEEu2OuB PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000 timedatestamp.....: 0x46ca8aeb (Tue Aug 21 06:49:15 2007) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xe 0x200 0.16 b429b070d0408908f37618354c81acb1 .rdata 0x2000 0x54 0x200 0.62 9469b36bdb6e6a481f3d64647c84b836 ( 1 imports ) > kernel32.dll: ExitProcess ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14</a> This test was done with an unpacked binary. Using a packer increase the results: 27/42 with FSG and 25/41 with MEW. Various Trojan names were listed such as: Vundo, Trojan-Downloader, Backdoor/RBot and so on. With packed versions, some AV are detecting the file because of an heuristic routine: Trojan.Generic, Win32.Suspicious, Mal/EncPk-BA, Cryp_MEW-11. Take care with Antivirus Results and learn to decode Trojan Names. PS: I've edited the post, writing the conclusion in bold. Some people misinterpret this post: this is just a fun test, not a attack against AV vendors. While I see S!Ri's post as educational (which was its intention), some antivirus companies don’t seem to perceive it like that unfortunately. It is not always easy for antivirus services to create detections but when you see that a harmless piece of code has been labeled PoisonIvy or High Risk Backdoor, I think it’s the perfect example of why you should always use your common sense instead of blindly relaying on antivirus definitions and their associated program with default settings. False detections sooner or later lead to mini disasters (often accompanied by a financial cost to render the computer usable again) especially for unsavy users when critical system files get deleted. ·         Norton AntiVirus software detects a new 'virus': Microsoft Windows - and disables it ·         Kaspersky inadvertently quarantines Windows Explorer Or more recently the Faulty Update for 64 bit Operating Systems. Not everyone is able to use the Windows Recovery option from the OS CD. Some ship with a recovery partition, not a bootable CD. Its nice to set up a page with recovery instructions but my PC just crashed and is now unbootable remember ... at this stage there's even 99% of chance that I wont be able to tell what did render it unsuable anyway.   A couple simple guidelines will save you already a lot of trouble. ·         Keep your system up to date and tighten your browser’s security. Disable useless Add-Ons, uninstall them. Get rid of those so called helper toolbars, many have vulnerabilities and those are exploited daily by malware writers to push malware on your computer. ·         Get your news from legitimate news websites rather than from any site popping up in your search results. ·         Exercise caution on the sites visited using your browser, hover over the links so that you see where you are going next. ·         Be careful with links in email and chat messages even if they come from your friends, ask yourself the question “Would they send that me” first, re-check with your friend on the legitimacy of the message instead of blindly following the link. ·         Don’t open attachments from persons you don’t trust and exercise caution with those from friends. Remember, they can be infected with a spambot and thus send out copies to the contact list. ·         If you get an email from your bank asking you to enter personal details, change a password etc … online, double check that the email really originated from them, give them a call eventually especially if you didn’t ask for a password reset or detail change. As a general rule try not to follow links in your mail, go to the website instead. If you absolutely need to follow the link, make sure that you will end up where you expected to be. As for the anti-virus settings … don’t allow a file to be deleted, take control of your computer. If you are in doubt, upload the file to a service like virustotal. Seek assistance on the forums if you have trouble grabbing the file but don’t exclusively relay on a binary decision, on a piece of code that has no common sense at all, just 0 and 1‘s.

 

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437