卡巴官方论坛上对虚拟机启发式查毒技术被过的回答

hljdqzr

首先是我们中国的一位热心者的帖子
让我们感谢他的热心.再次是一位专家级别的高手的回答
this code can be included as part of the malware code and it will help the malware to detect if it is running on an real computer or inside KL emulator. if it detects that it is running on an real computer it will continue to run and do its malicious actions. if however it detects that it runs inside the emulator it will simply stop. however, i am quite sure next version of the emulator will be immune to this trick lets see some of the things KL should be able to do about this:

- they can improve the emulator so that it will work more correctly (more like an real system)
- they can look for this trick in the code and work around it, for example skip this part of the code
- since this code is most probably very specific (only malware will use it) they can even make detection for this code
大意是:(错误,不妥之处见谅)
这个代码可以作为恶意代码的一部份,它会帮助恶意软件侦测是否它运行于真的计算机上或在卡巴的虚拟机上.如果是在真正的电脑上它会接着运行并开始恶意行为.但是如果在卡巴的虚拟机它仅仅是停止.尽管如此,我确定下一代卡巴产品会无视这个把戏.让我们看看下一代卡巴应该能做到:
-他们会提升虚拟机是它更有效(更像真实系统)
-他们会检察代码中的这种把戏,并会绕过它,比如跳过这段代码.
-既然这个代码可能十分特殊(只有恶意软件会使用它)他们可能直接侦测这段代码.(这个狠)
http://forum.kaspersky.com/index.php?showtopic=52349是其地址.

cici584522

貌似我做的免杀..卡巴的启发式最高也杀不掉...不需要什么代码吧..哈哈

hljdqzr

那里有了不同的见解,有人认为卡巴还有主动防御和代码识别.有个卡巴金牌测试人员认为,单纯添加对这段代码的侦测没有意义,问题是如何从根本避免这个问题,在他看来,每个安全软件的启发都可以被过.
管理员Lucian Bara回复from what i see fault is that both "explorer.exe" and the emulated program have some caracteristics, which won't happen on a real pc (i really haven't played around with pid functions in c++ yet).
as to more serious testing, KL has a testing department, and as for us, for there's not much to test in v8, it's only half there (can't even get a decent BSOD since there are no advanced features  )
大意是问题在于explorer.exe与模拟器都有一些特性是不会发生于真实电脑的.(是否意味着卡巴无法从根本修复呢?).而卡巴8仍在测试中,对我们来说这个版本可测试的不多,这只是个半成品.
讨论还将进行

[ 本帖最后由 hljdqzr 于 2007-11-11 21:51 编辑 ]

wangjay1980

如果启发可以扫出所有病毒，那我就疯了

hljdqzr

我刚以为结束了呢.那里气氛十分热烈,好,下面我接着为大家介绍.老规矩,错误,不妥之处见谅.
ok, i confess i did not fully understand this code by just looking at it so i have build a demo and watch it  

all it does is it check if the parent process is explorer (since in an real system explorer will normally start the malware file and so it will be its parent process). it seems that in the emulator this is not the case. if i am mistaken please correct me (my programing is a bit rusty)
大意是他自己利用该方法做了个病毒,问题在于在实际系统中,explorer.exe是夫进程,且正常时会启动这个恶意软件,使其取而代之成为夫进程,而在模拟器中不是这样.他也在等待大家的指正.

hljdqzr

同志们,xyzreg的身份被贴到那里了.唉,不愧为克格勃后代,有效率.
Hello,

I am the person who first posted this on Castle Cops and sent an email to your site info. I am just a linguist so I have no idea if this will be of further help but I found a little more on the talk xyzreg gave at Xcon2007:

About xyzreg

Zhang Yi (xyzreg), a security technology researcher , majors in Information Security Technology at Jiangsu University. His research interests are Windows kernel, advanced malware technology, vulnerability discovery, Network Centric Warfare, initiation of Security Products.

Presentation Title :

Advance Malware Technology to New Challenges -- Breach Active Defense

Presentation Abstracts:

The wide use of Active Defense technology in Anti-Virus Products,Firewalls and HIPS is a severe challege for today's Backdoors,Trojans ,Rootkits etc.. Even if the Malware's excellent Concealment, the Active Defense Product will notice the user on the first setup of Malware, and stop Malware from normal installing and further working.

This topic is detailed on the application of status of the Active Defense, its principle and various methods to breakthrough the active defense deep in the windows kernel.
Presentation Requirement :

* System mechanism of windows
* Malware Technology
* Principle of Security Product
* the application status of the Active Defense

wangjay1980

官方还没有回复此问题

wangjay1980

Wordmonger （卡巴启发引擎工程师）的回答：

Looks like you guys have already grokked it yourselves and there's no need for any kind of "official" reply from KL. But just to recap:

1. There are zillion ways to defeat an emulation system by finding a difference from a real system. Posting one of those as something special and/or something new is not very professional. (I'm not talking ethics here.)

2. With any decent emulation engine, this issue can be fixed in no time. At least this is the case with KAV's heuristic analyzer.

3. Due to its obvious deficiencies, malware authors will hardly use this technique as is. Consequently there's no practical reason making KAV pass this "test" right now


原文地址http://forum.kaspersky.com/index.php?showtopic=52349

[ 本帖最后由 wangjay1980 于 2007-11-11 23:25 编辑 ]

hljdqzr

大意是1过虚拟机办法很多，把一个办法作为特殊的代表或新东西并不专业。
2对于任何虚拟机，这个问题马上就能修复，至少对卡巴是这样。
3因为明显的特征，恶意软件制造者不会大量使用这项技术。所以对卡巴没必要立刻通过这次考试

sexing

继续!