Attack bypasses EVERY Windows security

http://www.stormfront.org/forum/t708332/

New attack bypasses EVERY Windows security product

Security researchers at Matousec.com have come up with an ingenious attack that can bypass every Windows security product tested and allow malicious code to make its way to your system.

Yes, you read that right - every Windows security product tested. And the list is both huge and sobering:

* 3D EQSecure Professional Edition 4.2
* avast! Internet Security 5.0.462
* AVG Internet Security 9.0.791
* Avira Premium Security Suite 10.0.0.536
* BitDefender Total Security 2010 13.0.20.347
* Blink Professional 4.6.1
* CA Internet Security Suite Plus 2010 6.0.0.272
* Comodo Internet Security Free 4.0.138377.779
* DefenseWall Personal Firewall 3.00
* Dr.Web Security Space Pro 6.0.0.03100
* ESET Smart Security 4.2.35.3
* F-Secure Internet Security 2010 10.00 build 246
* G DATA TotalCare 2010
* Kaspersky Internet Security 2010 9.0.0.736
* KingSoft Personal Firewall 9 Plus 2009.05.07.70
* Malware Defender 2.6.0
* McAfee Total Protection 2010 10.0.580
* Norman Security Suite PRO 8.0
* Norton Internet Security 2010 17.5.0.127
* Online Armor Premium 4.0.0.35
* Online Solutions Security Suite 1.5.14905.0
* Outpost Security Suite Pro 6.7.3.3063.452.0726
* Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION
* Panda Internet Security 2010 15.01.00
* PC Tools Firewall Plus 6.0.0.88
* PrivateFirewall 7.0.20.37
* Security Shield 2010 13.0.16.313
* Sophos Endpoint Security and Control 9.0.5
* ThreatFire 4.7.0.17
* Trend Micro Internet Security Pro 2010 17.50.1647.0000
* Vba32 Personal 3.12.12.4
* VIPRE Antivirus Premium 4.0.3272
* VirusBuster Internet Security Suite 3.2
* Webroot Internet Security Essentials 6.1.0.145
* ZoneAlarm Extreme Security 9.1.507.000
* probably other versions of above mentioned software
* possibly many other software products that use kernel hooks to implement security features

[...]More at link

>>15
Okay, you want behaviour, here you go:
A file infector is a set of code part of an application which is able to copy, possibly transform itself into an equivalent piece of code and insert that piece of code into other applications. Inserting can be done at any place in the application, be it in the header, ending, new section, or it could even move application code around to add its own code.

This is a reasonably strict and limiting definition of a file infector virus. You won't be able to find AVs which can all such code, because of a very large number of reasons, but I'll start:
1) Code equivalency - if the code was transformed, it might not always be possible to find if a piece of code is equivalent, much less in a reasonable amount of time.
2) Insertion can be done in many ways, and it might not even be visible - the code might be encrypted, in which case it's data, not code, until it's executed, the code may be transformed, in that case, signatures won't work, unless you know how to transform it back, but not all transforms are reversible, however in practice it's usually possible to make a set of transformations which can turn the original virus and the morphed virus into the same piece of code which has the same signature - as long as one knows what transformations the virus does.

A more general way to define a file infector would be to say that it's a piece of functionality part of a program which can add an equivalent piece of functionality to another program by modifying it.

Even with such a definition you can mathemathically prove that it's impossible to make a general AV which detects file infectors, simply because program equivalency is undecidable. In practice, a lot of these are solvable, just not the general case. You'd need a perfect theorem prover for that, and that's just not possible and it's not too different from the halting problem in its most general case.