metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] New Javascript Packer: JSi

Re: [framework] New Javascript Packer: JSidle

From: Miguel Rios <miguelrios35_at_nospam>
Date: Sun Jul 11 2010 - 17:59:53 GMT
To: framework@spool.metasploit.com, Jonathan R <agentsmith15@gmail.com>

Well, just thought I'd share my results with NOD after applying the jsidle patch for new icon adobe exploit. Bottom line, NOD still flags it as PDF/Exploit.Gen. Tried encrypting it also and it did cut down on detections but NOD still flags it as PDF/Exploit.Gen.
Seems NOD is doing a pretty good job in flagging malicious PDFs.

--- On Sat, 7/10/10, Jonathan R <agentsmith15@gmail.com> wrote:

From: Jonathan R <agentsmith15@gmail.com>
Subject: Re: [framework] New Javascript Packer: JSidle
To: "Miguel Rios" <miguelrios35@yahoo.com>, framework@spool.metasploit.com
Date: Saturday, July 10, 2010, 11:15 PM

NOD prides themselves on having one of the best heuristics engines, so
I believe NOD would mark the PDF as suspicious and not a specific
threat. You can do what many malware writers do and split the PDF into
multiple parts and you can narrow the range of where/what in the PDF
is getting flagged. Then change things accordingly.

This idea of delaying code to bypass detection has been brought up
before by well known virus writers like Z0mbie and Second Part To
Hell/[rRlf].
http://vxheavens.com/lib/vzo23.html<--- Z0mbie's Paper
http://www.hack0wn.com/view.php?xroot=72.0&cat=papers<--- SPTH/rHlf

This is all based upon the fact that a anti virus like Norton or NOD
can only spend about 3 or 4 seconds on each file. Otherwise a AV scan
would take to long.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework