2008 04 28 02 11 關於 防毒軟體 ...


今天做了點小實驗,
把 Adobe.CS3.Design.Premium.Keymaker.exe 丟進去 virustotal ,
來檢查是不是 malware ,
這年代實在太多惡意軟體了。
但我卻發現了一個現象。
原本的 exe 是用 upx 去 pack 過的,
經過檢查有 4 家防毒軟體認為有問題。
但我自己手動用 upx 去 unpack 過,
再丟進去 virustotal 去檢查,
結果卻變成只有 2 家防毒軟體認為有問題,
另外 2 家似乎是認為只要經過 pack 過的就有嫌疑。
實在是有點不負責任,
雖然是有告訴使用者是有嫌疑,
但是這樣『看到影子,就開槍』實在是不可取啊~
最下面還有我手動用upx 把calc.exe pack起來,
丟進 virustotal 掃描的結果。


原本有經過 upx pack 的結果:(URL
File Adobe.CS3.Design.Premium.Keymaker received on 04.04.2008 21:19:24 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.4.4.12008.04.04-
AntiVir7.6.0.812008.04.04-
Authentium4.93.82008.04.04-
Avast4.7.1098.02008.04.04-
AVG7.5.0.5162008.04.04-
BitDefender7.22008.04.04-
CAT-QuickHeal9.502008.04.04-
ClamAV0.92.12008.04.04-
DrWeb4.44.0.091702008.04.04-
eSafe7.0.15.02008.04.01suspicious Trojan/Worm
eTrust-Vet31.3.56702008.04.04-
Ewido4.02008.04.04-
F-Prot4.4.2.542008.04.04-
F-Secure6.70.13260.02008.04.04-
FileAdvisor12008.04.04-
Fortinet3.14.0.02008.04.04-
IkarusT3.1.1.202008.04.04Virus.Win32.Agent.HGE
Kaspersky7.0.0.1252008.04.04-
McAfee52672008.04.04-
Microsoft1.34082008.04.03-
NOD32v230032008.04.04-
Norman5.80.022008.04.04-
Panda9.0.0.42008.04.04Suspicious file
Prevx1V22008.04.04Heuristic: Suspicious File With Bad Parent Associations
Rising20.38.60.002008.04.03-
Sophos4.28.02008.04.04-
Sunbelt3.0.978.02008.03.18-
Symantec102008.04.04-
TheHacker6.2.92.2642008.04.04-
VBA323.12.6.32008.03.25-
VirusBuster4.3.26:92008.04.04-
Webwasher-Gateway6.6.22008.04.04-
 
Additional information
File size: 53760 bytes
MD5...: 70ed6977a0168942088de94e34ac18c0
SHA1..: 7002fbf99489ff806986784aa410c273f7fc1c38
SHA256: 50ae3f16da04f28c63b12af7d9f37caf063fa5edeed6c502769ceecfccf96ae2
SHA512: 71949d2e1dfbce24d88226495c38a390abdcd40283581d9e5be7484ebe215e54
8b4d063bcc850f46af0eabff45004ed09b3b04487585d75c8d1ec442c69eceb0
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41d010
timedatestamp.....: 0x4634533c (Sun Apr 29 08:11:40 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x10000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x11000 0xd000 0xc200 7.92 2e364eaa8348c36cc9cf9bd028157fb8
.rsrc 0x1e000 0x1000 0xc00 3.67 7499c969e57354c1b937399eabcf85ad

( 5 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> COMCTL32.dll: -
> MFC42.DLL: -
> MSVCRT.dll: exit
> USER32.dll: IsIconic

( 0 exports )
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=576A6ED8008ADBA9D23F0090607C9C005E0D32BE







手動用 upx unpack 的結果:(URL
File Adobe.CS3.Design.Premium.Keymaker received on 04.04.2008 21:27:16 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.4.4.12008.04.04-
AntiVir7.6.0.812008.04.04-
Authentium4.93.82008.04.04-
Avast4.7.1098.02008.04.04-
AVG7.5.0.5162008.04.04-
BitDefender7.22008.04.04-
CAT-QuickHeal9.502008.04.04-
ClamAV0.92.12008.04.04-
DrWeb4.44.0.091702008.04.04-
eSafe7.0.15.02008.04.01-
eTrust-Vet31.3.56702008.04.04-
Ewido4.02008.04.04-
F-Prot4.4.2.542008.04.04-
F-Secure6.70.13260.02008.04.04-
FileAdvisor12008.04.04-
Fortinet3.14.0.02008.04.04-
IkarusT3.1.1.202008.04.04Virus.Win32.Agent.HGE
Kaspersky7.0.0.1252008.04.04-
McAfee52672008.04.04-
Microsoft1.34082008.04.03-
NOD32v230032008.04.04-
Norman5.80.022008.04.04-
Panda9.0.0.42008.04.04-
Prevx1V22008.04.04Heuristic: Suspicious Self Modifying File
Rising20.38.60.002008.04.03-
Sophos4.28.02008.04.04-
Sunbelt3.0.978.02008.03.18-
Symantec102008.04.04-
TheHacker6.2.92.2642008.04.04-
VBA323.12.6.32008.03.25-
VirusBuster4.3.26:92008.04.04-
Webwasher-Gateway6.6.22008.04.04-
 
Additional information
File size: 114688 bytes
MD5...: 8f034f3d7e0c9d6cf018f15b60fbf775
SHA1..: 35c43bd25b1e3817476d6451993b1f50b73e5e07
SHA256: d20a37f278eb261fd621112277c8c0995dd9d10e5b42ec53452d9a93d65b75dd
SHA512: 787d6b7dfb4e595e58f31757fd3d5a4937ed0eef6ddfa07e8afbae93917f9d21
ed34fd39ea6a138df467e22ac5a88ce6a5f534fb4cc4c599d19d6e710435859c
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a731
timedatestamp.....: 0x4634533c (Sun Apr 29 08:11:40 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x11642 0x12000 6.26 099ef1c169bfc95aa0ccbce236b81a24
.rdata 0x13000 0xa3a 0x1000 2.89 4dc51432fe97adc0e80608ab3da21445
.data 0x14000 0x1c24 0x2000 3.52 f331bf8bbf06aeb84207da6def4829da
.rsrc 0x16000 0x59c0 0x6000 6.67 d545dca8f1e734b51c547d61747176bf

( 5 imports )
> KERNEL32.DLL: GetStartupInfoA, GetModuleHandleA, lstrcatA
> COMCTL32.dll: -
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, rand, __2@YAPAXI@Z, free, time, fgetc, calloc, _iob, fputc, _setmbcp, _strrev, __CxxFrameHandler, srand, __3@YAXPAX@Z
> USER32.dll: EnableWindow, wsprintfA, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, SendMessageA, LoadIconA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=01D2235F00E5B056C029019F697BD2003E522478



手動用 upx 把 calc.exe pack 起來 (URL
File calc.exe received on 04.04.2008 21:49:17 (CET)
AntivirusVersionLast UpdateResult
AhnLab-V32008.4.4.12008.04.04-
AntiVir7.6.0.812008.04.04-
Authentium4.93.82008.04.04-
Avast4.7.1098.02008.04.04-
AVG7.5.0.5162008.04.04-
BitDefender7.22008.04.04-
CAT-QuickHeal9.502008.04.04-
ClamAV0.92.12008.04.04-
DrWeb4.44.0.091702008.04.04-
eSafe7.0.15.02008.04.01suspicious Trojan/Worm
eTrust-Vet31.3.56702008.04.04-
Ewido4.02008.04.04-
F-Prot4.4.2.542008.04.04-
F-Secure6.70.13260.02008.04.04-
FileAdvisor12008.04.04-
Fortinet3.14.0.02008.04.04-
IkarusT3.1.1.20.02008.04.04Win32.Suspect.Infection.150035
Kaspersky7.0.0.1252008.04.04-
McAfee52672008.04.04-
Microsoft1.34082008.04.03-
NOD32v230032008.04.04-
Norman5.80.022008.04.04-
Panda9.0.0.42008.04.04-
Prevx1V22008.04.04-
Rising20.38.60.002008.04.03-
Sophos4.28.02008.04.04-
Sunbelt3.0.978.02008.03.18-
Symantec102008.04.04-
TheHacker6.2.92.2642008.04.04-
VBA323.12.6.32008.03.25-
VirusBuster4.3.26:92008.04.04-
Webwasher-Gateway6.6.22008.04.04Win32.Malware.gen#UPX (suspicious)
 
Additional information
File size: 56320 bytes
MD5...: ec17e54286bb23e838fc58314329bb11
SHA1..: ee23a5adacf7ea90812a94c37e187aaeb6aeed02
SHA256: 2ded6371376eaedc3a3d8616e2cbc46a9bceda064b03ebfdac0c4e13fdcc8e95
SHA512: a891fc39504d77e4189acc349dbc0836e8983de96702a8de08593da7f84d22c3
4f0934a1e96faed25239330fd926075381ff65a4bc252e2d22297f5bd687590a
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1020c50
timedatestamp.....: 0x3b7d8410 (Fri Aug 17 20:52:32 2001)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x19000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x1a000 0x7000 0x6e00 7.88 1c1b54aedf5d8c3bfc7381cdb4c96e25
.rsrc 0x21000 0x7000 0x6a00 5.34 f92764f85afab75ceca11b185661696b

( 6 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> GDI32.dll: SetBkMode
> msvcrt.dll: exit
> SHELL32.dll: ShellAboutW
> USER32.dll: GetMenu

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Authentium): UPX




上一頁 180 181 182 183 184 185 186 187 188 189 下一頁