5 comments

[ 3.0 ms ] story [ 22.4 ms ] thread
Kind of scary, but would need successful execution to be really bad. I really like the idea of sandbox analysis, as well as the challenge of writing a program which can detect when running in-sandbox :)
Do you mean unpacked in memory? Most packers don't write unpacked files to disk (it would make bypassing them a lot easier if they did...)
To be clear, running any sample that's clean on VT will probably trigger your AV based on many run-time heuristics - VT is showing scan-time results, not run-time results. These 'crypters' are also effectively worthless - as soon as your sample hits a few computers an AV will upload the sample (or someone will upload it to VirusTotal, and it will subsequently get analyzed) and it will be flagged.

You can almost try this 'at home' - upload a file to VirusTotal and try to get it to match two or three AV's detections. It will then be flagged by at least ten AVs next week. This is because VirusTotal shares all uploaded files with antivirus products.

I remember reading some fictional story where the hacker designed a easily-detectable virus, whose true payload was the signature the AV system generated from it. The carefully-crafted signature would exploit a buffer-overflow in the anti-virus clients as soon they got their regular updates from the central server.

Far-fetched but not impossible. I wish I could remember the source.