Moderator: Moderators
Zeuter wrote:minecraft timelapse tiltshift shader autism server youtube video
I was expecting that for this reason some might specifically target innocent UPX. But I figured it's ok since the important scanners didn't flag it at file scan all the while; but turns out all the same suddenly made a fuss at execution. That makes me guess it's a detail of the actual two-stage load/run that UPX just happens to share with common malware, maybe something so basic that any such process pretty much must employ, so that's why only the runtime guardian shields of the cooler scanners trigger.Cassiel wrote:Ah, UPX packing will actually cause a lot of AV to flag simply because it was (maybe still is, I don't know) so common in malware.
Yeah, I had something like that in mind at first too, but then I was like "Naah, that shit will get flagged for sure, save yourself the time, be a good boy, go the official route"... well DUH. But even if something specific is not flagged now, it probably eventually will, eventually some asshole will use something similar to wreck havok, and the scanners will be made to ident-mark it at code that by itself has nothing to do with that havok, just because it's maybe the easy quick fix for an overworked AV crew.Cassiel wrote:Now you're probably just as likely to see people hand-roll LZO or ZLIB in, after a resource extraction and XOR decryption pass.
I just don't get why out of 46 scanners only AntiVir is the last one that still flags the latest Afterlife, and it's annoying the hell out of me. Boom5 isn't flagged at all, and the difference of any significance to that matter is the custom kernel. But honestly, it doesn't do anything that fancy in terms of interfacing and asm. Maybe I'll have to make test builds line by line and have it scanned to figure out where's it at exactly. Blargh... I'll keep you informed what's up with that if/when I find it.Cassiel wrote:Any hooking or injection will do it, too. Usually I wouldn't expect that unless you had something like a combination of CreateRemoteThread and WriteProcessMemory, which you probably aren't doing if it's self-injecting, but who knows. The heuristics are pretty simplistic.
RageAgainstVoid wrote:I should probably just do youtube videos (which would then be spammed by demands for the program :roll:), but there's some experimental stuff going and I need to know about any problems on various configurations.
Return to The Fast and the Spurious
Users browsing this forum: No registered users and 7 guests