Here is a list of packers/crypters I'm using to test AV software:
01) ASPack 2.12
02) ASProtect 1.23 RC4 build 08.07
03) ExeStealth 3.04
04) FSG 2.0
05) MEW11 SE 1.2
06) MoleBox 2.3.3
07) Morphine 2.7
08) PECompact2 2.55
09) UPX 1.25W
10) yoda's Crypter 1.3
11) yoda's Protector 1.0b
Anything else worthwhile I should test and/or any newer versions I'm missing (I think I'm current on all of the above).
Thanks!!!!
Full Version: Packers/crypters - Did I Miss Any?
I'm doing pretty well this weekend at talking to myself...heh.
I added a couple others:
(Win)UPack 0.27 beta
PE-PACK 1.0
Packman 0.0.0.1
exe32pack 1.42
Petite 2.3
WWPack32 1.20
I added a couple others:
(Win)UPack 0.27 beta
PE-PACK 1.0
Packman 0.0.0.1
exe32pack 1.42
Petite 2.3
WWPack32 1.20
Alright m8, theres loads listed on a site called "programming tools", they have decompilers, packers, unpackers and a section called fun stuff. I dont have the link though coz ive recently done a clean install and didnt back it up. Im sure ive seen it listed on govsec b4. I will try and find out what is was. The site has green text with a black background. If anyone knows the site im talking about could you please post the link. Cheers.
Can we have more details on the tests you are running?
Can we have more details on the tests you are running?
Ah yes, I think I know what site you're referring to, I've been using it (and the thread I created a few months ago with a survey of member's fav packers) to compile my list:
http://protools.reverse-engineering.net/packers.htm
As far as the tests go, I was initially going to use EICAR, but getting that into a recognizable-by-all PE format has been somewhat of an issue. Compressing it and creating an SFX works but the resulting packed file doesn't. Binding it to other files works, but AV detects the binders instead of the contents (oops). So I ended up downloading Nimda...not very professional to use in-the-wild viruses, but it is for closed-circuit tests (I'm using my honeypots) so hopefully it won't be looked upon too badly. Nimda is packed with 21 different packers/crypters and then I run the full package of files through each AV product I have on my honeypots (12 in all) - which products detect which Nimda variants are being charted, etc.
Just an experiment that I'm using to supplement a paper I'm writing on antivirus products and their performance.
http://protools.reverse-engineering.net/packers.htm
As far as the tests go, I was initially going to use EICAR, but getting that into a recognizable-by-all PE format has been somewhat of an issue. Compressing it and creating an SFX works but the resulting packed file doesn't. Binding it to other files works, but AV detects the binders instead of the contents (oops). So I ended up downloading Nimda...not very professional to use in-the-wild viruses, but it is for closed-circuit tests (I'm using my honeypots) so hopefully it won't be looked upon too badly. Nimda is packed with 21 different packers/crypters and then I run the full package of files through each AV product I have on my honeypots (12 in all) - which products detect which Nimda variants are being charted, etc.
Just an experiment that I'm using to supplement a paper I'm writing on antivirus products and their performance.
Here is another site with allot of packers/compressers/crypters etc
http://www.exetools.com/
http://www.exetools.com/
Thank you guys. I've completed that part of my research.
Ended up using the list above as it stands (20 different packing methods, including zip sfx/rar sfx)...because the testing was too time consuming to continually re-work with new packers. I think I covered the major bases.
My paper won't be released until later this year due to copyright (it is for a conference) but I can give you a small preview on the packers data. I broke down the testing by realtime and manual scans. There were 13 AV products involved, and the aforementioned 20 pack methods (it is out of 21 because one file was the Nimda sample without any additional packing):
1) Kaspersky
Realtime: 17/21
Manual: 19/21
2) BitDefender
Realtime: 12/21
Manual: 16/21
3) (TIE) McAfee
Realtime: 9/21
Manual: 15/21
3) (TIE) Sophos
Realtime: 12/21
Manual: 12/21
LAST) NOD32
Realtime: 1/21
Manual: 1/21
(i.e. it detected NONE of the packed samples)
There ya have it...of course I have details on who missed what, etc etc. but unfortunately I can't provide too much of that. I just wanted to give a glimpse so you guys get something out of my posts from the past few days. I'd say if you were going to pick AV based purely on the amount of packers they support - the choice is clear. Of course, there are many other factors involved in the decision but this is quite important.
I will be making my paper available as soon as I am allowed to. Thanks guys!!!
Ended up using the list above as it stands (20 different packing methods, including zip sfx/rar sfx)...because the testing was too time consuming to continually re-work with new packers. I think I covered the major bases.
My paper won't be released until later this year due to copyright (it is for a conference) but I can give you a small preview on the packers data. I broke down the testing by realtime and manual scans. There were 13 AV products involved, and the aforementioned 20 pack methods (it is out of 21 because one file was the Nimda sample without any additional packing):
1) Kaspersky
Realtime: 17/21
Manual: 19/21
2) BitDefender
Realtime: 12/21
Manual: 16/21
3) (TIE) McAfee
Realtime: 9/21
Manual: 15/21
3) (TIE) Sophos
Realtime: 12/21
Manual: 12/21
LAST) NOD32
Realtime: 1/21
Manual: 1/21
(i.e. it detected NONE of the packed samples)
There ya have it...of course I have details on who missed what, etc etc. but unfortunately I can't provide too much of that. I just wanted to give a glimpse so you guys get something out of my posts from the past few days. I'd say if you were going to pick AV based purely on the amount of packers they support - the choice is clear. Of course, there are many other factors involved in the decision but this is quite important.
I will be making my paper available as soon as I am allowed to. Thanks guys!!!
Nice. Out of curiousity what were the other 3 packers u used since I only see 17 listed in your original 2 posts and none after that
Ah, sorry...here's the complete list:
QUOTE
Nimda
Nimda SFX Zip
Nimda SFX RAR
ASPack 2.12
ASProtect 1.23 RC4 build 08.07
exe32pack 1.42
EXECryptor 2.0
ExeStealth 3.04
FSG 2.0
MEW11 SE 1.2
MoleBox 2.3.3
Morphine 2.7
Packman 0.0.0.1
PECompact2 2.55
PE-PACK 1.0
Petite 2.3
UPX 1.25W
WWPack32 1.20
yoda's Crypter 1.3
yoda's Protector 1.0b
(Win)UPack 0.27 beta
Nimda SFX Zip
Nimda SFX RAR
ASPack 2.12
ASProtect 1.23 RC4 build 08.07
exe32pack 1.42
EXECryptor 2.0
ExeStealth 3.04
FSG 2.0
MEW11 SE 1.2
MoleBox 2.3.3
Morphine 2.7
Packman 0.0.0.1
PECompact2 2.55
PE-PACK 1.0
Petite 2.3
UPX 1.25W
WWPack32 1.20
yoda's Crypter 1.3
yoda's Protector 1.0b
(Win)UPack 0.27 beta
what packers were used that made exe undetectable in kasperky?
the tools.. only for compress.. not for hide viruses.. =)
use your hands.. and some brains to undetect viruses..)
use your hands.. and some brains to undetect viruses..)
QUOTE(UnL0ad @ Jun 21 2005, 10:18 PM)
what packers were used that made exe undetectable in kasperky?
I know execrpytor hides files from ALL AV.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
