AnySpyware.com Newsletter - Issue 1 November 2005 Welcome! The site has just really become "alive" on the internet, and I am spending more and more time on it. I now work only part time for DiamondCS and no longer analyse malware for a living. We have not been doing updates for TDS-3 now for 3 months and it is a real change for me. For this reason I am looking at malware for fun and this site has come about. I also play with virus scanners and test other useful software for my visitors to read about and use. Actually one I am about to try soon and a review coming is Xplorer2 (squared). Since I have no REQUIREMENT (as a job) to analyse malicious files at DiamondCS anymore, I also want look at interesting scenarios of how trojans are being used, how trojan attackers THINK etc. I will also be looking at malware from a different angle not yet done by analysts of HOW everything works. This is actually quite easy for an analyst, because you look at nasties from the ground up, every day. Day in, day out. In my time I've also spent a lot of time looking at the trojan scene as a whole, visiting forums for example. This is where I feel most qualified to write about trojan use and how dangers evolve. Most of the future of malware became quite clear in my work. In any case, some of the issue is going to work out on Christmas, 2006... ------ Currently I have put up an interesting little trojan dropper analysis, http://www.anyspyware.com/trojan-dropper.html This shows that installers are used to bypass a lot of scanners. The Kaspersky installer detection engine knows how to extract the files so everything IN the archive gets scanned. Nothing hard about this, you analyse a file from its entry and find installer routines (large chunk of compressed data with algorithms to decode it) Its basically a zip file anyway, the scanner just needs to know where to get the compressed file, how it unpacks, and if it has any scripting options which could download a file etc (NULLSOFT Installer does). For KNOWN archives this couldn't be much simpler - you know offsets, have piles of exact decompression routines and sometimes variants of this compression. Even easier for those analysts not already "thinking outside the box". The WAY an engine has to be built for archive analysis is quite easy - and its the ONLY way that will work right is if it UNDERSTANDS ARCHIVES. From this sample, another thing we can see (to a degree) is that some Western based anti virus vendors may take a couple of hours to catch up on some samples released in other parts of the world, purely due to timing of getting the virus sample. This will happen with other scanners too and at widely varying rates. The bottom line: Some scanners DO NOT HAVE A SAMPLE for days and thus are really lacking protection. Not being able to unpack all installers means an installer can drop something nasty. Be sure to check it out and send any comments http://www.anyspyware.com/trojan-dropper.html More news soon! P.S - the first site revision is done please send any feedback to webmaster@anyspyware.com Thanks! ------ Gavin Coe AnySpyware.com owner ------