hey everyone ,sorry for bothering you guys with my question,but is there a scanner that could detect payloads and viruses that are encrypted?
-Thanks for your time D3ATH
hey everyone ,sorry for bothering you guys with my question,but is there a scanner that could detect payloads and viruses that are encrypted?
-Thanks for your time D3ATH
7 Responses
No even the quick :h3âl can't detect most of the payloads.
Maybe check out this post: http://security.stackexchange.com/questions/90105/how-to-detect-an-encrypted-virus
Unencrypt it and then scan it.
You obviously don't understand the concept of encryption buddy
Well good luck scanning encrypted files. Guess there will be loads of critical info in that.
There are methods involving reverse engineering techniques. If you've read Occupy4Elies' link, it says that there is a loader which contains the deobfuscation routine to extract the obfuscated virus (I'm assuming this would be during runtime). What you can do is you can find the Address of Entry Point (which is where the code begins execution), then attempt to locate where the loader exists and from there, you should be able to trace where the encryption key is or how the deobfuscation method is applied. Once the loader finishes, it would usually involve some method of returning or jumping back to its original entry point which should now be the deobfuscated malicious code. From there, (I'm not exactly sure), you should be able to dump the (deobuscated) disassembly and then scan it with something like VirusTotal.
If you want more information on the loader aspect, I have recently written up a couple of articles explaining two possible methods.
wow. great answer! sounds like you know a lot about it, you should definitely submit your articles!
Share Your Thoughts