|
They are all rubbish. I wrote a very simple heuristics goat file which is part of my test suite.
This goat file performs the following operations
1. GOAT Stub: Seek Kernel32.dll in memory
2. GOAT Stub: Locate GetProcAddress()
3. GOAT Stub: User GetProcAddress to get address for GlobalAlloc()
4. GOAT Stub: Allocates a buffer using GlobalAlloc() and copies decryptor and rest of goat file to new location
5. Jmp to new buffer
6. GOAT Encrypted Body: Execute decryptor (simple xor byte ptr[] routine to allow AV xraying)
7. GOAT Encrypted Body: Load all apis from a structure into a structure (copied from a real virus) using GetProcAddress()
8. GOAT Encrypted Body: Fetch all system paths (eg system32 and windows and mydocs etc)
9. GOAT Encrypted Body: Find all "*.exe" in the current folder
10. GOAT Encrypted Body: no payload... just beeps each time a file is found.
11. GOAT Encrypted Body: return control to parent process.
12. GOAT Encrypted Body: Embedded in the code are funny strings like "*.com" "*.scr" "*.dll" suspicious API names (MapViewOfFile etc)
Ok so my first generation goat file (which only XOR's with a zero key) [ie no decryption] is flagged as funny by a few av vendors. (about 45% of virustotal.com).
My second generation goat file which xors with a static byte of 0xCD shows f*ck all warnings in all AV's EXCEPT VBA.
I am very dissapointed with the trace scanning capabilities of current AV products as my code is suspicious and performing naughty things.
I have not tested runtime behavior analysis of Sophos and Symantec. However runtime analysis by AVIRA and AVG failed on its a$$
All AV products suck with heuristics and unknown virus emulation
|