October 6, 2016 at 15:57Yersinia - encrypt programs, test antiviruses
Don’t judge,
I do n’t know how to write in detail ... I had to write a cryptor somehow. Well, in general, nothing special. Only now, due to the virtualization of antiviruses, antiviruses click them “at once”, just running the code in the sandbox and analyzing it already there.
After breaking my head for a couple of hours, I found a way out (commercial secret)). The main thing is to prevent the sandbox from decrypting the file ... Well, plus, there are a lot of goodies that in theory should interfere with debugging and other things (although in reality they have not been working for a long time, or do not work everywhere).
By the way, when generating the same file, the output always produces different results, i.e. the code of the encrypted file is always different, there is a difference in the header (so as not to give a chance to signature verification) and in the body itself (the whole encrypted code is completely different for each encryption).
True, so far not all programs can be encrypted with my tool, it breaks off on some (the flaw is still damp).
The only problem during the tests was the confusion with Symantec and Avast, who consider the file to be encrypted. Well, that's just it) only this is the trouble - this couple reacts just as nervously to a clean file! Moreover, a clean file has no noticeable entropy - even the picture inside the resources is not compressed, just bmp. By what signs they consider the files to be harmful, I still do not understand.
Demonstration video:
Big greetings to ESET, McAffee and Kaspersky (the video didn’t make it) - no one has identified such a legend as Brontok) - VirusTotal .
The conclusion is generally sad - some do not respond to what is needed, others do not respond to what is needed ...
PS I had an interview, or rather, pre-communication by mail with HR DrWeb - they said that those who helped in the work virus writings do not take. So here it is) As Chris Kaspersky used to say, in order to be able to protect the system, you must first learn how to break it.
I do n’t know how to write in detail ... I had to write a cryptor somehow. Well, in general, nothing special. Only now, due to the virtualization of antiviruses, antiviruses click them “at once”, just running the code in the sandbox and analyzing it already there.
After breaking my head for a couple of hours, I found a way out (commercial secret)). The main thing is to prevent the sandbox from decrypting the file ... Well, plus, there are a lot of goodies that in theory should interfere with debugging and other things (although in reality they have not been working for a long time, or do not work everywhere).
By the way, when generating the same file, the output always produces different results, i.e. the code of the encrypted file is always different, there is a difference in the header (so as not to give a chance to signature verification) and in the body itself (the whole encrypted code is completely different for each encryption).
True, so far not all programs can be encrypted with my tool, it breaks off on some (the flaw is still damp).
The only problem during the tests was the confusion with Symantec and Avast, who consider the file to be encrypted. Well, that's just it) only this is the trouble - this couple reacts just as nervously to a clean file! Moreover, a clean file has no noticeable entropy - even the picture inside the resources is not compressed, just bmp. By what signs they consider the files to be harmful, I still do not understand.
Demonstration video:
Big greetings to ESET, McAffee and Kaspersky (the video didn’t make it) - no one has identified such a legend as Brontok) - VirusTotal .
The conclusion is generally sad - some do not respond to what is needed, others do not respond to what is needed ...
PS I had an interview, or rather, pre-communication by mail with HR DrWeb - they said that those who helped in the work virus writings do not take. So here it is) As Chris Kaspersky used to say, in order to be able to protect the system, you must first learn how to break it.