Attack bypasses EVERY Windows security

http://www.stormfront.org/forum/t708332/

New attack bypasses EVERY Windows security product

Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and allow malicious code to make its way to your system.

Yes, you read that right - every Windows security product tested. And the list is both huge and sobering:

* 3D EQSecure Professional Edition 4.2
* avast! Internet Security 5.0.462
* AVG Internet Security 9.0.791
* Avira Premium Security Suite 10.0.0.536
* BitDefender Total Security 2010 13.0.20.347
* Blink Professional 4.6.1
* CA Internet Security Suite Plus 2010 6.0.0.272
* Comodo Internet Security Free 4.0.138377.779
* DefenseWall Personal Firewall 3.00
* Dr.Web Security Space Pro 6.0.0.03100
* ESET Smart Security 4.2.35.3
* F-Secure Internet Security 2010 10.00 build 246
* G DATA TotalCare 2010
* Kaspersky Internet Security 2010 9.0.0.736
* KingSoft Personal Firewall 9 Plus 2009.05.07.70
* Malware Defender 2.6.0
* McAfee Total Protection 2010 10.0.580
* Norman Security Suite PRO 8.0
* Norton Internet Security 2010 17.5.0.127
* Online Armor Premium 4.0.0.35
* Online Solutions Security Suite 1.5.14905.0
* Outpost Security Suite Pro 6.7.3.3063.452.0726
* Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
* Panda Internet Security 2010 15.01.00
* PC Tools Firewall Plus 6.0.0.88
* PrivateFirewall 7.0.20.37
* Security Shield 2010 13.0.16.313
* Sophos Endpoint Security and Control 9.0.5
* ThreatFire 4.7.0.17
* Trend Micro Internet Security Pro 2010 17.50.1647.0000
* Vba32 Personal 3.12.12.4
* VIPRE Antivirus Premium 4.0.3272
* VirusBuster Internet Security Suite 3.2
* Webroot Internet Security Essentials 6.1.0.145
* ZoneAlarm Extreme Security 9.1.507.000
* probably other versions of above mentioned software
* possibly many other software products that use kernel hooks to implement security features

[...]More at link

>>1
that's a pretty short list. and MSE isn't even on it.

These things are easy to make. "security software" is usually signature or heuristics based. A few better one have code emulators. There are fullproof ways to bypass any of those methods (signature - different code or code randomization/obfuscation/morphing/virtualization, heuristics - undocumented API calls, hook bypassing by making kernel API calls directly (works on everything, except AVs with kernel-mode hooks, but MS made those problemtic with patchguard on vista/win7 x64. a kernel-mode driver can bypass those with kernel-mode hooks as well ), some heuristics mark applications safe if certain kinds of API calls are made (like graphical APIs), some malware do this, other methods are injecting code in trusted service processes and running one's process as a foreign thread, emulation - a combination of the methods described before this, combined with sleep/delay calls would make emulation beak in realtime, as AV engines usually place time limits on total running/emulated time.

Mousetec's discovery just discusses a less known class of vulnerabilities which can be used to bypass AVs, but there are already known methods for doing this which no AV can do anything about without making major improvements in their engines.

It was also mathemathically proven that it's impossible to make an antivirus which can detect new viruses which have never been seen before with a 100% certainty.

The real solution to security is to not run code which you have not personally verified yourself(either if you have the source code, or you have reverse engineered the binaries to deem them reasonably safe) and not run that code without isolation (in case someone finds a way to exploit it).

Forget security products its [b]NP complete[/b].!!
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.111.7510&rep=rep1&type=pdf

If only Windows had some kind of jail system where all this is unnecessary

>>3

>>3
It was also mathemathically proven that it's impossible to make an antivirus which can detect new viruses which have never been seen before with a 100% certainty.
If by ``mathematically proven'' you mean ``common sense''. I hate idiots like, who don't let their profound ignorance and complete lack of any particular skills get in the way of their confidence spouting bullshit.

MATHEMATICALLY PROVE MY ANUS

>>7
Not just common sense. It's provable that if you have 2 different compiled programs, it's undecidable in the general sense wether these 2 programs perform the same function.

Signature-based detection will find something if the signature is there, but if someone makes an identical program that does the same, but its code is different (for example, by morphing the instructions, virtualizing them, or simple code encryption), an AV can only rely on heuristics to detect something malicious and heuristics are fallible by definition.

Also see >>4

Another point to consider: let's say you have 2 mathemathical expressions. Proving the equivalency of these two arbitrary expressions is akin to solving the halting problem. Possible in concrete cases, but not in any case.

>>9,10
All of your wank misses the obvious point that ``virus'' is ill-defined. You're a fucking moron.

Of course, it's ill-defined, but you can define various kinds of malware.

>>12
I'd like to see you try.

Protip: it's impossible. There is no usable definition that doesn't also include a huge amount of legitimate software. That's why commercial AVs just dissect known viruses and work post-hoc.

>>13
A general definition is impossible, but if you start specifying OS, file format, certain types of behaviour, it's possible. Of course, there are so many possible variations to those behaviours, that a complete definition is impossible.

>>14
OS and file format are irrelevant. The only relevant metric is behavior, and there's no way to do it. You can wave your hands and pretend you aren't fucking full of shit all you like, it doesn't change a thing.

>>15
Okay, you want behaviour, here you go:
A file infector is a set of code part of an application which is able to copy, possibly transform itself into an equivalent piece of code and insert that piece of code into other applications. Inserting can be done at any place in the application, be it in the header, ending, new section, or it could even move application code around to add its own code.

This is a reasonably strict and limiting definition of a file infector virus. You won't be able to find AVs which can all such code, because of a very large number of reasons, but I'll start:
1) Code equivalency - if the code was transformed, it might not always be possible to find if a piece of code is equivalent, much less in a reasonable amount of time.
2) Insertion can be done in many ways, and it might not even be visible - the code might be encrypted, in which case it's data, not code, until it's executed, the code may be transformed, in that case, signatures won't work, unless you know how to transform it back, but not all transforms are reversible, however in practice it's usually possible to make a set of transformations which can turn the original virus and the morphed virus into the same piece of code which has the same signature - as long as one knows what transformations the virus does.

A more general way to define a file infector would be to say that it's a piece of functionality part of a program which can add an equivalent piece of functionality to another program by modifying it.

Even with such a definition you can mathemathically prove that it's impossible to make a general AV which detects file infectors, simply because program equivalency is undecidable. In practice, a lot of these are solvable, just not the general case. You'd need a perfect theorem prover for that, and that's just not possible and it's not too different from the halting problem in its most general case.

I'm having difficulty telling apart trolls from other trolls. Can anyone help me?

>>1
stormfront

Damn jews and their viruses!

>>16
Look, we aren't disagreeing over the fact that it's impossible in principle to make a perfect virus scanner. We're only disagreeing over the fact that you're full of shit otherwise.

>>19
You insist on making this personal?
Show me what exactly you think I'm wrong about!

>>20
(Psst, see >>17)

>>18
Another quality topic by STORMFRONT

This thread will be back shortly, after these words from our sponsers...


_{DELICIOUS & FRESHING
  Drink}
     Coca~Cola
_{5c at fountains}

Windows
Security
I think I've tracked down most of the problem for you.

Attack bypasses EVERY Windows security
Fire?

>>17
Everyone in this thread is trolling.

JEWS

>>23
Drink
     Coca~Cola For that Refreshing Browness!

    '-._                  ___.....___
        `.__           ,-'        ,-.`-,            HAVE YOU READ
            `''-------'          ( p )  `._       YOUR STORMFRONT.ORG TODAY ? LOL!
                                  `-'      (
                                            \
                                  .         \
                                   \---..,--'
       ................._           --...--,
                         `-.._         _.-'
                              `'-----''

'-._                  ___.....___
        `.__           ,-'        ,-.`-,            HAVE YOU READ
            `''-------'          ( p )  `._       YOUR STORMFRONT.ORG TODAY ? LOL!
                                  `-'      (
                                            \
                                  .         \
                                   \---..,--'................._           --...--,
                         `-.._         _.-'
                              `'-----''

'-._                  ___.....___
        `.__           ,-'        ,-.`-,            HAVE YOU READ
            `''-------'          ( p )  `._       YOUR STORMFRONT.ORG TODAY ? LOL!
                                  `-'      (
                                            \
                                  .         \
                                   \---..,--'       ................._           --...--,
                         `-.._         _.-'
                              `'-----''

>>29-31
'-._                  ___.....___
    `.__           ,-'       _____ \
        `''-------'          ( p )  `._
                              `-'      (
                                        \
                                         \
                              ___________)
   ................._                  /
                     `-.._         _.-'
                          `'-----''

lol

>>29
>>30
>>31

Go to /vip/

>>34
>>29-31
Please OPTIMIZE your _post ^references!

>>32



    '-._                  ___.....___
        `.__           ,-'        ,-.`-,         Hasn't read his
            `''-------'          ( p )  `._      STORMFRONT.ORG TODAY ! LOL.
                                  `-'      \   
                                            \
                                  .         \
                                   \---..,--'       ................._           --...--,
                         `-.._         _.-'
                              `'-----''

[aa]    '-._                  ___.....___
        `.__           ,-'        ,-.`-,         HAVE YOU READ
            `''-------'          ( p )  `._      YOUR [code][aa] TAGS TODAY ?
                                  `-'      \   
                                            \
                                  .         \
                                   \---..,--'
[aa/][/code]       ................._           --...--,
                         `-.._         _.-'
                              `'-----''
>>36

>>33



[a]    '-._                  ___.....___
        `.__           ,-'        ,-.`-,         Hasn't read his
            `''-------'          ( p )  `._      Tags correctly TODAY ! LOL. Also STORMFRONT
                                  `-'      \   
                                            \
                                  .         \
                                   \---..,--'
[/aa]       ................._           --...--,
                         `-.._         _.-'
                              `'-----''

>>33



    '-._                  ___.....___
        `.__           ,-'        ,-.`-,         Hasn't read his
            `''-------'          ( p )  `._      Tags correctly TODAY ! LOL. Also STORMFRONT
                                  `-'      \   
                                            \
                                  .         \
                                   \---..,--'
       ................._           --...--,
                         `-.._         _.-'
                              `'-----''

'-._                  ___.....___
    `.__           ,-'        .-'  \
        `''-------'          / o )  `._     WHY IS THIS
                              `-'      (     HAPPENING?
                                        \
                                         \
                                   ______)
   ................._          .-''    /
                     `-.._         _.-'
                          `'-----''