Virus detection - vector vs. payload

Published: 2007-05-30. Last Updated: 2007-05-30 10:04:41 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
In a previous diary, we've written about the surprising prevalence of those exploit "iframes" which in the end download a file called "funny.php" off a server in Russia, Panama or Ukraine, etc. "funny.php" is an EXE sailing in disguise, and usually a
password stealing spyware of the "Bancos" family. The file changes frequently and cleverly enough to keep the majority of anti virus products perpetually in the dark. The only two things that tend to "save the day" if a user happens across one
of these IFRAMEs is that firstly, the vulnerabilities exploited are pretty old (and patched). Secondly, the anti-virus detection for the exploit iframe (the infection "vector") is significantly better than detection for the spyware (the "payload").

Some anti virus products apparently trigger on the "obfuscation" of the exploit, (it is encoded Javascript), risking a higher false positive rate by doing so, but also making it less likely that a tiny change in the exploit code renders the signature useless. Others apparently trigger on the exploit itself. The obfuscation and exploits used have been pretty much the same for the past three months, so one would reasonably expect anti virus coverage to be well in place.

When today a user of mine "found" another one of these funny.phps, I decided to pass both the vector and payload files through Virustotal to see who was up to snuff:

Virustotal results for the obfuscated exploit file ("forum.php")

Virustotal results for the payload ("funny.php")

The results speak for themselves, with quite a few prominent vendors competing for the coveted "Sees No Virus" award :). I'm constantly amazed at how anti-virus ever could grow into a multi-billion dollar industry.
Keywords:
0 comment(s)

Comments


Diary Archives