[病毒:分享]测试杀毒软件扫描器对病毒的解壳能力

打枪 · 发表于 27-4-2004 03:01 AM

[size=+1]
病毒只要加壳，就可以容易避过杀毒软件的监视。加壳就是对原本病毒披上另一层外衣，披上外衣的加壳病毒还是像原本病毒一样启动，可是如果此刻杀软监视器或扫描器不能解壳而辨认出加壳的病毒，那么这个加壳的病毒就可以轻易避过杀毒软件的监视了。

大家可以来测试你杀毒软件对各种壳的释放能力[unpacking]是否可以轻易辨认已经被加壳的病毒，令加壳的病毒无所盾形。

http://edited-by-poster-dead-link/gmails/

去以上网站，下载 Original File ，需要解压 [密码是test],然后用你的杀毒软件扫描器扫描看看是否起警报。如果没有起警报，那么接着下来的步骤就不必进行了，因为如果对原文件病毒都没有起警报，那么加壳的病毒就更不会有任何警报。如果扫描出病毒，那么可以继续以下步骤。

现在下载：
[1] 01 to 07 files packed with different packers
[2] 08 to 14 files packed with different packers
[3] 15 to 23 files packed with different packers
以上共三个文件，先关闭杀毒软件的监视器，然后将他们解压到一个新的目录 [folder],以上文件是 01, 02, 03,..., 23, 一共标志着 23 种不同的普通常见的壳，有些可能已经加了几层。

现在用杀毒软件扫描23个文件，看看到底报了多少个文件是有毒的？然后可以对照病毒名字，应该跟原文件所报的名字是一样的。

有下载测试的，可否报告一下是什么版本的杀毒软件，然后到底报了多少个病毒。

谢谢。

[ Last edited by 打枪 on 17-9-2004 at 12:26 PM ]

xike · 发表于 27-4-2004 08:29 AM

以下是对original-virus-file.exe扫描的报告 log file.

http://www.kav.ch/E/dlwin35.stm
http://download1.kav.ch/avpfiles/win32/a32f350.exe [测试版本，选自定义安装 custom installation,不要安装control center,如果是 windows 2000/windows nt, 可以选 install as system 有底层执行保护。]

注意 log file , 没有显示任何 packer 壳的资料，表示没有加壳。是原本的文件
===================
KAV Scan 04/27/2004 07:46:43 AM

c:\test\original-virus-file.exe detected: Backdoor.TTY.30

Scan process complete.

Tuesday, 27 April, 2004 7:46 AM
Tuesday, 27 April, 2004 7:46 AM Antiviral Toolkit Pro started:
______________________________________________________________________

Scanned

Sector Objects : 0
Files : 1
Folders : 1
Archives : 0
Packed : 0

Found

Viruses : 1
Virus bodies : 1
Disinfected : 0
Deleted : 0
Warnings : 0
Suspicious : 0
Corrupted : 0
I/O Errors : 0

Scan speed (Kb/sec) : 0
Scan time :
______________________________________________________________________

Tuesday, 27 April, 2004 7:46 AM Antiviral Toolkit Pro finished:

xike · 发表于 27-4-2004 08:40 AM

既然对原文件起警报，那么可以继续对23个加壳文件做测试了。

以下是卡巴斯基3.5[瑞士版本]的报告 log files, 注意各种壳的报告。

比如：
c:\test\01.exe packed: Shrinker
c:\test\01.exe detected: Backdoor.TTY.30
表示 01.exe 加了一层壳，壳的名字叫 Shrinker

比如:
c:\test\23.exe packed: ASPack
c:\test\23.exe packed: ASPack
c:\test\23.exe packed: PECompact
c:\test\23.exe detected: Backdoor.TTY.30
表示 23.exe 加了三层壳，第一层是PECompact,第二层是ASPack,第三层是ASPack

10.exe 11.exe 12.exe 显示 ok, 没有任何壳的资料，表示不能对这些壳释放[unpack],所以不能侦察出是病毒文件。结果是：
[size=+5]20/23
23个文件，报20个。

=======================================
KAV Scan 04/27/2004 07:56:58 AM

c:\test\01.exe packed: Shrinker
c:\test\01.exe detected: Backdoor.TTY.30
c:\test\02.exe packed: Petite
c:\test\02.exe detected: Backdoor.TTY.30
c:\test\03.exe packed: Neolite
c:\test\03.exe detected: Backdoor.TTY.30
c:\test\04.exe packed: PE_Patch
c:\test\04.exe packed: ASProtect
c:\test\04.exe detected: Backdoor.TTY.30
c:\test\05.exe packed: PKLite32
c:\test\05.exe detected: Backdoor.TTY.30
c:\test\06.exe packed: PKLite32
c:\test\06.exe packed: Pex
c:\test\06.exe detected: Backdoor.TTY.30
c:\test\07.exe packed: Exe32Pack
c:\test\07.exe detected: Backdoor.TTY.30
c:\test\12.exe ok.
c:\test\09.exe detected: Backdoor.TTY.30
c:\test\10.exe ok.
c:\test\11.exe ok.
c:\test\08.exe packed: PELock
c:\test\08.exe detected: Backdoor.TTY.30
c:\test\13.exe packed: PE_Patch
c:\test\13.exe packed: TeLock
c:\test\13.exe detected: Backdoor.TTY.30
c:\test\14.exe packed: PCShrink
c:\test\14.exe detected: Backdoor.TTY.30
c:\test\22.exe packed: ASPack
c:\test\22.exe detected: Backdoor.TTY.30
c:\test\16.exe packed: Pex
c:\test\16.exe detected: Backdoor.TTY.30
c:\test\17.exe packed: WWPack32
c:\test\17.exe detected: Backdoor.TTY.30
c:\test\18.exe packed: PE_Patch
c:\test\18.exe packed: TeLock
c:\test\18.exe detected: Backdoor.TTY.30
c:\test\19.exe packed: FSG
c:\test\19.exe detected: Backdoor.TTY.30
c:\test\20.exe packed: PE-Pack
c:\test\20.exe detected: Backdoor.TTY.30
c:\test\21.exe packed: UPX
c:\test\21.exe detected: Backdoor.TTY.30
c:\test\15.exe packed: WWPack32
c:\test\15.exe detected: Backdoor.TTY.30
c:\test\23.exe packed: ASPack
c:\test\23.exe packed: ASPack
c:\test\23.exe packed: PECompact
c:\test\23.exe detected: Backdoor.TTY.30

Scan process complete.

Tuesday, 27 April, 2004 7:56 AM
Tuesday, 27 April, 2004 7:56 AM Antiviral Toolkit Pro started:
______________________________________________________________________

Scanned

Sector Objects : 0
Files : 23
Folders : 1
Archives : 0
Packed : 19

Found

Viruses : 2
Virus bodies : 20
Disinfected : 0
Deleted : 0
Warnings : 0
Suspicious : 0
Corrupted : 0
I/O Errors : 0

Scan speed (Kb/sec) : 329
Scan time : 00:32
______________________________________________________________________

Tuesday, 27 April, 2004 7:57 AM Antiviral Toolkit Pro finished:

xike · 发表于 27-4-2004 08:44 AM

http://www.sald.com/get.html
ftp://ftp.drweb.ru/pub/drweb/drweb32.zip [测试版本]

Dr Web 4.31b 对原文件的扫描报告

===========================
[Scan path] C:\test
C:\test\original-virus-file.exe infected with BackDoor.TTY.30

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 1
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Scan speed: 500 Kb/s
Scan time: 00:00:00
-----------------------------------------------------------------------------

xike · 发表于 27-4-2004 08:54 AM

既然对原文件起警报，那么可以继续对23个加壳文件做测试了。

以下是 dr web 4.31b 的报告 log files, 注意各种壳的报告。

比如:
C:\test\23.exe packed by ASPACK
>C:\test\23.exe packed by ASPACK
>>C:\test\23.exe packed by PECOMPACT
>>>C:\test\23.exe infected with BackDoor.TTY.30
表示 23.exe 加了三层壳，第一层是PECompact,第二层是ASPack,第三层是ASPack

测试结果是:
[size=+5]11/23
23个加壳文件报11个。。其余显示 ok 就是表示不能释放加壳的文件，所以不能侦察到是病毒文件。

[size=+2]其他杀毒软件的用户也一起来做测试， mcafee, norton, PCCilin, NOD32, 等等

==========================

[Scan path] C:\test
C:\test\01.exe - Ok
C:\test\02.exe - Ok
C:\test\03.exe - Ok
C:\test\04.exe - Ok
C:\test\05.exe - Ok
C:\test\06.exe - Ok
C:\test\07.exe - Ok
C:\test\12.exe - Ok
C:\test\09.exe - Ok
C:\test\10.exe - Ok
C:\test\11.exe - Ok
C:\test\08.exe - Ok
C:\test\13.exe packed by TELOCK
>C:\test\13.exe infected with BackDoor.TTY.30
C:\test\14.exe packed by PCSHRINK
>C:\test\14.exe infected with BackDoor.TTY.30
C:\test\22.exe packed by ASPACK
>C:\test\22.exe infected with BackDoor.TTY.30
C:\test\16.exe packed by PEX
>C:\test\16.exe infected with BackDoor.TTY.30
C:\test\17.exe packed by WWPACK32
>C:\test\17.exe infected with BackDoor.TTY.30
C:\test\18.exe packed by TELOCK
>C:\test\18.exe infected with BackDoor.TTY.30
C:\test\19.exe packed by FSG
>C:\test\19.exe infected with BackDoor.TTY.30
C:\test\20.exe packed by PEPACK
>C:\test\20.exe infected with BackDoor.TTY.30
C:\test\21.exe packed by UPX
>C:\test\21.exe infected with BackDoor.TTY.30
C:\test\15.exe packed by WWPACK32
>C:\test\15.exe infected with BackDoor.TTY.30
C:\test\23.exe packed by ASPACK
>C:\test\23.exe packed by ASPACK
>>C:\test\23.exe packed by PECOMPACT
>>>C:\test\23.exe infected with BackDoor.TTY.30

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 23
Infected objects found: 11
Objects with modifications found: 0
Suspicious objects found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Scan speed: 326 Kb/s
Scan time: 00:00:18
-----------------------------------------------------------------------------

(/(^o^)\) · 发表于 6-5-2004 02:25 PM

刚刚试了 PCCilin 绿色扫描器。因为对原文件起警报，那么可以做测试。。。

结果是：
[size=+5]1/23
================================

2004-05-06, 14:31:42, Clean Fail:
Copyright (c) 1990 - 2002 Trend Micro Inc.
Report Date : 5/6/2004 14:30:58
VSAPI Engine Version : 6.810-1005
VSCANTM Version : 1.0-11111728
Virus Pattern Version : 885 (63700 Patterns) (2004/05/03) (188500)
Command Line: C:\PCCILIN\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\11\*.* /P=C:\PCCILIN

Can not Clean [ BKDR_TTY.30]( 1) from C:\11\original-virus-file.exe 原文件
Can not Clean [ BKDR_TTY.30]( 1) from C:\11\21.exe
24 files have been read.
24 files have been checked.
24 files have been scanned.
24 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 5/6/2004 14:31:42 41 seconds (41.58 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-05-06, 14:31:42, Scanner "C:\PCCILIN\VSCANTM.BIN" has finished running.

WLFung · 发表于 6-5-2004 04:47 PM

NORTON ANTIVIRUS 2004 PROFESSIONAL
2004-05-05病毒包 测试结果

在解压时已经成功阻栏并删除……
Original File:

01至23.exe：
解压时成功删除大部份病毒，只剩下01、09、11、12.exe

Threat Alerts log:

Category: Threat alerts
Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\23.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\15.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\21.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\20.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\19.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\18.exe
2004-05-06 4:47:54 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\17.exe
2004-05-06 4:47:53 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\16.exe
2004-05-06 4:47:49 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\22.exe
2004-05-06 4:47:44 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\14.exe
2004-05-06 4:47:44 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\13.exe
2004-05-06 4:47:44 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\08.exe
2004-05-06 4:47:41 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\10.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\07.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\06.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\05.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\04.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\03.exe
2004-05-06 4:47:29 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\virus-with-different-packers\02.exe
2004-05-06 4:25:55 ??,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200405050008,10.0.1.13,WLFung,FUNG-PC,Source: C:\TEST\original-virus-file.exe

测试结果是:
19/23

(/(^o^)\) · 发表于 6-5-2004 06:19 PM

NORTON ANTIVIRUS 2004 PROFESSIONAL 非常好，有 NORTON ANTIVIRUS 2003 PROFESSIONAL 做测试吗？

gn1731747 · 发表于 22-8-2004 08:56 PM

樓主你給的網站不能進了哦.我想測試最新的卡巴斯基看看什麼成績.我本身是用這個5.0的版本

显示全部楼层 · 发表于 23-8-2004 10:31 PM

樓主你給的網站不能進

红发 · 发表于 3-9-2004 02:17 PM

NOD32 呢？
有没有做测试？

打枪 · 发表于 17-9-2004 12:33 PM

weiyewc 于 23-8-2004 10:31 PM 说 :
樓主你給的網站不能進

sorry for writing in english, in net-cafe and hardly online these days.

The above website is closed :-)........

Anyway, this kind of test is ONLY VALID for the very first moment the files being created, after sometime, most of the tested files will be sent by person to the antivirus vendors [most popular one] and add them to their definition database files, so even you test now and won't really tell anything.

Just use whatever is most comfortable and suitable to you.

显示全部楼层 · 发表于 10-10-2004 06:27 PM

谢谢分享。。。。。。

		自动登录	找回密码
密码			注册

[病毒:分享]测试杀毒软件扫描器对病毒的解壳能力

卡巴斯基3.5[瑞士版本]

卡巴斯基 3.5 瑞士版本的测试结果

Dr web 4.31b 对原文件的测试

Dr Web 4.31b 的测试结果

所属分类: 电脑手机