Sad. They need to get their act together. I've often wondered about just creating a website submission tool that decompiles and recompiles code online. You submit an EXE and get one back that is hidden. The AV software doesn't have the server-side code, so they never know how's it is done.

Like you've said before, actually scanning the memory itself will eventually be the way to go. A higher overhead, perhaps, but they'll have to do it before too long.

Pretty scary. I know there has to be some change in the AV department, but how realistic is it to have more advanced memory scanning? Already I consider most antivirus programs to be a waste of memory. I usually leave them off until I want to specifically scan something. Not necessarily smart, but I do a lot of applications with my computer and I need the CPU speed.
Anywho...
keep up with the posts, you got some great stuff going on here. More people need to take your approach to security.
Peace out.

Ok this looks nice, but does it also still work ? Most of the time the exe is crippled.

the crypted hxdef above is 100% functional. The encryption of resources option is a little touchy (usually takes about 4 attempts to get working exe).

note that it won't work on files that are already packed or those that attach data at the end of file, outside of the resources section.

In the Virustotal scan some of the engines used look very old....the KAV one (version 4) is just ridiculous. Sorry, but I don't think these results can be considered valid. Can you upload to Jotti, I think they run newer versions. Or better still upload to those that have an online virus scanner on their own websites.

could u please compile for me a private packer
please send me in my mail address..ok buddy thanks!

ohh sorry i forgot my mail here is it guest@freemail.et

If a certain crypter is not being used ITW many AV don't see it due to the amount of real problem malware infecting machines every day.

The professionals (online crime gangs) are using changes in their code (pouring out variants) and obfuscation, not a little crypter. Rest assured the big fish get fried first. The most simplest AV can detect packed files heuristically and give an alarm, one well known one is well known for doing that too much..

The most important reason for users to have a top AV is to be protected from real threats that are on their machine at any time. The AV industry has always been driven by the need for AV, and detection strengths are worked on by priority. NOD32 is exceptional in todays climate, with obfuscation and packing countered by its unpacking and emulation, while it also detects variants of malware which are very tricky to analyse. A packer like this is easier to DETECT with a program, than obfuscated malware like Busky. This malware is easy to spot with the naked eye. NOD32 has it totally nailed and KAV is brilliant in some areas but fails badly against nearly all variants of Busky up until this month or so. Now it still misses them, the implementation of detection is always bound by the engine.

Choice of AV is a problem than ever for users, but a few leading products offer really good protection against the threats they encounter. NOD32, KAV, are very good. KIS integrated firewall, malware behaviour protection and anti spam so would be my choice but for pure AV engine NOD32 is superb (MS should have bought them instead of RAV)

Actually MS are doing very well in areas, it could be very promising. Often very new variants are detected by them and not the other AV's, its important that they have powerful heuristics to detect malware. I was impressed with some Busky and Zlob detections I have checked but haven't done any long time intensive comparisons.

Back a year ago, when i released CodeCrypter, NOD32 was the only one that really could identify the offending malware, due to its sandbox facility.

The others (including KAV's in memory scan - which seemed to be a bug), did not find it.

It's worth nothing that I only did this as a POC that it's very easy to beat 90% of AV with a simple encryption method. I've not tried to repeat the test with a new algorithm 1 year later, but it would be interesting to do this.

I agree professional blackhats will not use this technique, as it's much better to work out the signatures being flagged, and recompile with modified source code. I was more looking at the problem of script kiddies who just repack nasty trojans or build themselves botnets using something like rbot / sdbot etc.

Perhaps I'll redo the test again if i have time.

Thanks for the interesting comments (in all of your replies).

Regards,

Tibbar.

thank you very much for this nice post