

Making Finfisher Malware Undetectable - lqdc13
http://lqdc.github.io/making-finfisher-undetectable.html

======
iancarroll
To be clear, running any sample that's clean on VT will probably trigger your
AV based on many run-time heuristics - VT is showing _scan-time_ results, not
_run-time_ results. These 'crypters' are also effectively worthless - as soon
as your sample hits a few computers an AV will upload the sample (or someone
will upload it to VirusTotal, and it will subsequently get analyzed) and it
will be flagged.

You can almost try this 'at home' \- upload a file to VirusTotal and try to
get it to match two or three AV's detections. It will then be flagged by at
least ten AVs next week. This is because VirusTotal shares all uploaded files
with antivirus products.

~~~
Terr_
I remember reading some fictional story where the hacker designed a easily-
detectable virus, whose true payload was the signature the AV system generated
from it. The carefully-crafted signature would exploit a buffer-overflow in
the anti-virus clients as soon they got their regular updates from the central
server.

Far-fetched but not impossible. I wish I could remember the source.

------
Fizzadar
Kind of scary, but would need successful execution to be really bad. I really
like the idea of sandbox analysis, as well as the challenge of writing a
program which can detect when running in-sandbox :)

------
nekitamo
The name of one of the protectors is 'Themida', not "Themeda". Aside from
that, nice article. I wonder how many of the antiviruses complained when you
actually tried to execute your packed file? There should be a second round of
heuristics then which would catch the malware after it's unpacked to disk.

~~~
moyix
Do you mean unpacked in memory? Most packers don't write unpacked files to
disk (it would make bypassing them a lot easier if they did...)

