Solved

better security for detecting binded virus files

Posted on 2009-06-29
6
625 Views
Last Modified: 2013-11-22
Was looking for methods to better help in discovering and preventive measures for binded files that contain viruses. I've seen alot of Istealer servers that people use to get data most of these files they send out are fully undetectable by virus software. I saw one file that was binded that someone upload on nothanksvirus.org to test and it didnt detect the virus/malware/password stealer. How does one detect this on one's system and guard against such a threat?
0
Comment
Question by:billy4545
  • 3
  • 2
6 Comments
 
LVL 23

Expert Comment

by:Admin3k
ID: 24737320
Ok  let me please clarify the difference between two techniques that may be used here
Binder : there are three sections to a binded executable (executable 1, Executable2  & the Binder's Stub code)
Dropper: there are usually two separate sections of code, one is usually embedded into the other through resource files or using a technique like SFX, it is not uncommon for the section where the bad executable resides to be encrypted.
if you will rely solely on antivirus signature /definitions based scanning, then expect quite a few of those to go by undetected, especially droppers, binders are a bit easier in detection because the stub is almost always a giveaway.
however some script kiddies or malware distributors use custom made binders or droppers to ship their code out , this will not be included in your antivirus database and is bound to pass undetected.
the only way to beat those is by having a resident , active & running antivirus program , although the binder will hide the malware that it carries in storage (while it is still binded) , once extracted, your antivirus program should detect it for what it really is through definitions or through Heuristic scans that will map certain activities (if run in stealth) to malware activities, please post back if you require any clarification.
also if in doubt a better online scanner is www.virustotal.com


0
 
LVL 1

Author Comment

by:billy4545
ID: 24739598
Admin3k i see what your saying i understand there are alot of 0day virus/malware out there which would go by undetected through a regular scan. Should i use executable extract to look through an questionable exe? The binded file showed undetectable on virustotal as well. There has to be a easy way to detecting a threat, something that picks up on a binded files characteristics. Yes if you would please explain more in depth as well as take into consideration what i just mentioned as well . thanks
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24741737
Just to be sure about what e are dealing with here, I would like to take a look at this sample please, Please rename extension to .TXT , Compress as ZIP archive and attach here, once examind hopefully I will be able to advise of a suitable course of action.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 15

Accepted Solution

by:
xmachine earned 250 total points
ID: 24744197
1) The main reason behind using (Packing / Binding ... etc) is to evade signature-based anti-malware products. You need to look for proactive-based products that look for malicious activity in the system.

2) Anyways, a packed virus must be unpacked in memory to run. So, any decent antivirus should detect it if "Memory Scanning" is supported.

3) There is no single product on earth can detect and protect against all viruses. You need to implement multiple defense lines (Defense-in-Depth)

4) Using a combo of (Antivirus + HIPS + Application Control Software) will give you better protection. Since every product complements the other. Check the following features:

- Antivirus (Signatures): Detect and clean known infections.
- Antivirus (Proactive Protection): Detect malicious & suspicious activity which could be related to a 0-day/packed virus

- HIPS: Block malicious modifications (Hooking / DLL injection / Kernel modification / rootkits / patching dll/system files)
- HIPS: Intelligent monitoring and alerting when one of the mentioned activities has occurred.
- HIPS: Can block many infections by blocking exploitation attempts (eg. MS08-067 + W32.Downadup)

Application Control: Allow trusted and known applications and block the rest.
Application Control: Alert the administrator about executing suspicious files. (He can submit it to the AV vendor and respond faster than before)
Application Control: Execute signed and approved applications from trusted locations.

0
 
LVL 1

Author Comment

by:billy4545
ID: 24749904
Proactive based products such as prevx? for example
0
 
LVL 23

Assisted Solution

by:Admin3k
Admin3k earned 250 total points
ID: 24750018
Not necessarily this one, other Antivirus vendors call it different things Kaspersky,Mcafee, Symantec, Trend Micro, all have it among others.
heuristic scanning or heuristic detection being other well known names
i.e. detection based on suspicious behaviour not signature based, which can lead to identifying new threats not in the signature database
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
vMware vShield Endpoint 6.0 4 62
Ransomware attacks 5 83
Protecting a SKY 4.0 (Android) devise 15 98
"k" and "i" wont work in a dell lap top 5 14
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now