Thursday, March 25, 2010

Antivirus and FP

I did a test on Virus Total Online Scanner with an inoffensive ASM code.

This is the source code:


.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
    Push 0
        CALL ExitProcess
end start


And this is what the compiled binary looks like


00401000 >/$  6A 00         PUSH 0                                   ; /ExitCode = 0
00401002  \.  E8 01000000   CALL jmp.kernel32.exitprocess         ; \ExitProcess
00401007      CC            INT3
00401008   .- FF25 00204000 JMP DWORD PTR DS:[<kernel32.ExitProcess>];  kernel32.ExitProcess


The program just exit itself. No more, no less.
Few years ago, the result on VT was: 3/33 with suspicious Virus Names. Today, the result is 10/42 for this Exit Program.

a-squared 4.5.0.50 2010.03.25 Backdoor.Poisonivy.E!IK
AhnLab-V3 5.0.0.2 2010.03.25 -
AntiVir 7.10.5.210 2010.03.25 -
Antiy-AVL 2.0.3.7 2010.03.24 -
Authentium 5.2.0.5 2010.03.25 -
Avast 4.8.1351.0 2010.03.24 -
Avast5 5.0.332.0 2010.03.24 -
AVG 9.0.0.787 2010.03.25 BackDoor.PoisonIvy.AD
BitDefender 7.2 2010.03.25 -
CAT-QuickHeal 10.00 2010.03.25 -
ClamAV 0.96.0.0-git 2010.03.25 -
Comodo 4378 2010.03.25 -
DrWeb 5.0.1.12222 2010.03.25 -
eSafe 7.0.17.0 2010.03.24 -
eTrust-Vet 35.2.7387 2010.03.25 -
F-Prot 4.5.1.85 2010.03.24 -
F-Secure 9.0.15370.0 2010.03.25 -
Fortinet 4.0.14.0 2010.03.24 -
GData 19 2010.03.25 -
Ikarus T3.1.1.80.0 2010.03.25 Backdoor.Poisonivy.E
Jiangmin 13.0.900 2010.03.25 -
K7AntiVirus 7.10.1004 2010.03.22 Trojan.Win32.Xorpix
Kaspersky 7.0.0.125 2010.03.25 -
McAfee 5930 2010.03.24 -
McAfee+Artemis 5930 2010.03.24 Artemis!CD73D32FC69E
McAfee-GW-Edition 6.8.5 2010.03.25 -
Microsoft 1.5605 2010.03.25 -
NOD32 4972 2010.03.24 -
Norman 6.04.10 2010.03.24 -
nProtect 2009.1.8.0 2010.03.25 -
Panda 10.0.2.2 2010.03.24 -
PCTools 7.0.3.5 2010.03.25 -
Prevx 3.0 2010.03.25 High Risk System Back Door
Rising 22.40.03.04 2010.03.25 -
Sophos 4.52.0 2010.03.25 Mal/Generic-A
Sunbelt 6075 2010.03.25 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.25 Suspicious.Insight
TheHacker 6.5.2.0.242 2010.03.24 -
TrendMicro 9.120.0.1004 2010.03.25 -
VBA32 3.12.12.2 2010.03.25 -
ViRobot 2010.3.25.2243 2010.03.25 -
VirusBuster 5.0.27.0 2010.03.24 Backdoor.Poisonivy.MM

Information additionnelle
File size: 1536 bytes
MD5...: cd73d32fc69e10e9f4b7c736cfaf2f22
SHA1..: acfa9c1beadfd9021552fe962029d00aea25221a
SHA256: cbe4ce3d527e6d6c0d0c94e9cf5e8b064c4205e35fc31ee99bfd04dfe50c1464
ssdeep: 3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpfLj4UTqQat4ll/ml8UTXlAkQ9dlllNl/
/w:idq2Vg3F+X32Tj4HYlOFiHUEEu2OuB

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x46ca8aeb (Tue Aug 21 06:49:15 2007)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe 0x200 0.16 b429b070d0408908f37618354c81acb1
.rdata 0x2000 0x54 0x200 0.62 9469b36bdb6e6a481f3d64647c84b836

( 1 imports )
> kernel32.dll: ExitProcess

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14</a>


This test was done with an unpacked binary. Using a packer increase the results: 27/42 with FSG and 25/41 with MEW. Various Trojan names were listed such as: Vundo, Trojan-Downloader, Backdoor/RBot and so on.
With packed versions, some AV are detecting the file because of an heuristic routine: Trojan.Generic, Win32.Suspicious, Mal/EncPk-BA, Cryp_MEW-11.

Take care with Antivirus Results and learn to decode Trojan Names.

PS: I've edited the post, writing the conclusion in bold. Some people misinterpret this post: this is just a fun test, not an attack against AV vendors.