PUP Detection Bypass

View previous topic View next topic Go down

PUP Detection Bypass

Post by p2u on 27/2/2011, 10:13

*PUP = Potentially Unwanted Program
*To see the results on VT, you need to allow a cookie from VT + all scripts that run there.

The author of the article found a way to make AVs detect one type of virus as another, which can be leveraged to make an AV think a really bad backdoor is just a PUP, which some AV ignore by default to avoid "false positive" complaints.
The PUP Confusion Technique
P.S.: One of my colleagues tried it yesterday. He combined HideWindow with Bitfrost and got the following results:
* Antivir and Sophos detect the harmless HideWindows
* McAfee and Panda give some generic heuristics signature
* Kaspersky and NOD32 pretend there's nothing there at all (neither HideWindows, nor Bitfrost)
The file was active, as can be seen from this analysis.

The author states, that ALL AVs can produce only 1 verdict for one file, although this is not really true (the ALL part, I mean). Here's an example of Dr.Web detecting 2 viruses in 1 file:



It's probably something with an internal timer that is installed to win speed contests. They just stop scanning as soon as they have found at least something. Any ideas anyone?

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum