F-PROT对加壳的理解和认识

The EQs

1. Regarding a variant of
There's nothing wrong with naming something "a variant of". It all boils down how was the original sample distributed. If it was UPX packed and it gets repacked for example by ASPACK than it's indeed a variant. Reason is being that the file looks completely different from a binary point of view, even if it performs exactly the same actions. So nothing wrong with calling repacked versions "a variant of".

2. Packer Detections
There are 3 types of packers: Whitelist Packers, Greylist Packers and Blacklist Packers.

Whitelist Packers are mainly used by non-malicious applications. (However, that doesn't mean that malware isn't using them) Example: UPX

Greylist Packers are packers which are not really common for "industrial use" they are mostly used for cracks and maybe "strange" freeware/shareware and malware. Example: Exeprotector

Blacklist Packers are packers which are mainly used only for malware. Of course you can pack a clean program with a blacklisted packer but you shouldn't be suprised if a lot of antivirus apps flagging it. Example: Several patched Morphine versions, NSANTI Combinations and so on.

Flagging white-listed packers is ridiculous. Even if you only report a suspicious. A whitelisted packer should never ever been flagged regardingless of the heuristic level.

Flagging greylisted packers is very risky and leads to a lot of false positives.

Flagging blacklisted packers is basically "ok", however it's always better to take some other heuristic flags into the conclusion before flagging such files.

2.1 Combinations of Runtime Packers

Similar to point 2 there are so called blacklisted combinations of runtime packers. UPX + Yoda for example.

jpzy

EQ，你就不能简单翻译一下吗？虽然很多人看得懂，但是看着很难受啊！！

buycard

F-prot的意思是，报壳不是错误的……有些壳加入黑名单就要报，有些是白名单，报白名单的话是愚蠢的，报黑名单是可以的，另外有些灰色名单，可报可不报…………

唉，现在欧洲的反病毒公司，连F-prot这么老牌的都开始报壳……


F-prot这么说，是因为他们自己也报壳的缘故。

[ 本帖最后由 buycard 于 2007-4-21 00:57 编辑 ]

hkc

学习了啊

solcroft

原帖由 buycard 于 2007-4-21 02:26 发表
F-prot的意思是，报壳不是错误的……有些壳加入黑名单就要报，有些是白名单，报白名单的话是愚蠢的，报黑名单是可以的，另外有些灰色名单，可报可不报…………

唉，现在欧洲的反病毒公司，连F-prot这么老牌的 ...

因为报壳菜这么说，和因为这么认为才报壳，是有差别的

jlennon

F-PROT早就承认报壳了

klinxun

不错，很诚实。

bojinov

也没啥，错杀3000，不放一个