Jump to content

How Effective


Recommended Posts

Hi raffyy,

 

Since the staff and people more knowledgeable than I haven't responded yet I'll give it my best shot. Staff, experts ect. will (hopefully) correct me if I'm wrong.

For illustration purposes I'll use the fictional piece of malware called: malware.A

 

about crypters:

A crypter (cr.A) is used to make malware.A disguising it as something that is not malware.A and thus fool anti-malware programs. The only problem is that em.A can't be executed in it's 'disguised'-mode. The processor wouldn't understand. So upon execution of the disguised malware.A malware.A is 'undisguised' (decrypted?) by the crypter, loading the program undisguised into the RAM, from where it's run. (The computer now has an active infection).

MBAM is designed to look for active infections. (That is why the 'custom scan' function of MBAM is considered one of it's most useless features.) So it looks at the un-disguised file running, thus bypassing the crypters.

The 'terrifying' video on a crypter website (the first youtube video mentioned in 'sources'), shows just how great it is working against passive scanning. Meaning that the malware is not executed, just boring old 'see if it matches with the signatures'.

So I don't think MBAM has much problems with detecting crypted software when it's active. A scan of the memory should show it. I'm not sure how well MBAM's realtime protection deals with crypters, this because I don't know if it's solely an on-access-scanner or that is keep monitoring the processes as they run. The second youtube video linked shows a crypter by-passing an on-access-scanner.

Some AV-software targets the crypters themselves, not bothering to look at what has been disguised. I don't think MBAM does that and I'm not sure how well it is working.

about RAT's:

what the malwarebytes blog writes:

Luckily, not all is lost. If you have Malwarebytes Anti-Malware Pro installed, a few things can happen to protect you.

The web site you were sent to with the exploit would have never loaded thanks to Malwarebytes Web Protection Module

Malwarebytes Anti-Malware definitions scan for unique features at a deeper level than other AV vendors and are more likely to detect new variants of the same malware.

Malwarebytes Anti-Malwares Active Protection module would have detected the malware being executed on your system and prevented it from going any further based upon its functionality.

You can download Malwarebytes Anti-Malware and install it, even after being infected to detect and remove the threat.

Since MBAM has a commercial version (and a vague recollection) I think MBAM doesn't detect white-hat-RATs. I recall Malwarebytes intending to add an option to detect these as well, later on.

And so far, MBAM is doing nicely in the detection area. (An avarage time to detect of 6 hours.)

I did not find any tests of MBAM versus RAT's.

Layered security:

I'm a big fan of layered security. Don't trust one piece of software to protect you. If you want some ideas, open a topic at 'general PC-help' and I'm quite sure you'll get plenty of replies.

conclusion

MBAM should do fine against RATs with crypters, but don't rely solely on it. No protection software is perfect, and that goes for MBAM as well. So put as many hurdles in the way for malware that tries to infect you computer.

And if you think you are infected. We have a special subforum dedicated to removing malware.

 

This is about all I can tell.

Still, if you have any questions, please ask. Even if I can't answer them, other might be able to.

sources: 

my memoryhttp://blog.malwarebytes.org/intelligence/2014/03/malware-with-packer-deception-techniques/http://blog.malwarebytes.org/development/2014/03/memory-scan/http://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-1-darkcomet/http://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/http://blog.malwarebytes.org/intelligence/2012/06/rats-of-unusual-sizes/http://www.crypters.net/ (warning: not for the faint of heart, somehow got a green web of trust rating.)
http://www.youtube.com/watch?v=TtW8VpB_loQhttp://www.mrg-effitas.com/wp-content/uploads/2012/06/MRG-Effitas-Time-to-Detect-Assessment-Q4-20131.pdfhttp://alwaysarticles.blogspot.nl/2010/06/guide-anti-rat.html
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.