| Packers (compressors) |
| Did you know that there is a way to take known Trojan executables and compress them so they are unrecognizable to anti-virus software? Packers are programs that will do just this, effectively rendering your anti-virus software useless at defending against known Trojans. Packers are compression tools that compress win32 .EXE files, and actually change the binary signature of the executable. The resulting compressed executable can bypass any static anti-virus scanning engine (because the virus signature is compressed). |
||
| NeoLite is a publicly available "point and click" software program that allows anyone to "cloak" known Trojan executables. NeoLite was used December 99 to create MiniZip, a compressed version of the infamous ExploreZip Worm. MiniZip spread globally in a matter of hours - completely undetected from anti-virus software. There are many different varieties of packers available on the Web including Shrinker, PKlite, AS-pack, Petite, and WWpack. | ||
| Binders |
| Binders are programs that allow hackers to "bind" two or more executables together resulting in a single .EXE file. These are useful tools as they easily allow a hacker to insert Trojan executables into harmless .EXE animations, e-greetings and other EXEs that are commonly passed around as e-mail attachments. There are several "point and click" binders available for free download on the Web including Infector v2 (pictured left), Exe-Maker, Exe-Joiner, Trojan Man, Elitewrap and TOP. |
|
Anti-virus vendors want you to think that they can protect you. They all claim to support various compression algorithms. This is only half-true. The compression types that anti-virus vendors support are not true executable compressors.
Anti-virus vendors only handle archiving compression tools where the original compressed file is simply extracted to its original state and size before it is executed. These tools (e.g., WinZip) can be used to compress any file, not just executables. The fact that they may self-extract does not make them true PE (portable executable)-compressors. True PE-compressors like NeoLite actually change the executable itself and do not extract the original file to its previous state before the file executes. The only way that anti-virus vendors can detect a hostile executable compressed in such a manner is to add its signature into their virus definition database. So why don't anti-virus vendors add these new definitions? There are simply too many hostile executables and PE-compressors to be able to efficiently handle the number of different combinations of unique signatures. |
|
| "If anti-virus programs included computer code to read every type of file compression software, the scanning programs would be huge and incredibly slow. The anti-virus companies worry that this would frustrate users and cause them to disable the programs, said Vincent Weafer, Director, Symantec AntiVirus Research Center." (San Jose Mercury News 12/1/99) |
| In addition, Trojan programs can be compressed multiple times with different compression tools, requiring an infinite number of unique signatures that an anti-virus vendor would need to add to their database. The bottom line is that anti-virus software alone is not enough to protect you. The only way to stop an executable from harming your PC is to run it in a proactive "sandbox" environment and monitor its behavior for malicious activity in real-time. |