Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

July 30th, 2010

Cat and mouse game

Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.

Let’s describe it with the Hilot case. This malware family is detected algorithmically by our engine and the detection can be called a generic detection (this means not with a fixed signature or checksum). Once the authors notice a higher detection rate of their binaries, they have decided to change the generator. What surprised me was the tight boundary to our detection. We have been checking some characteristics of a significant block inside the binary as a part of our detection process and this block is a part of our cat and mouse game. But,  the Hilot authors then shifted this significant block in response.  It would be not that surprising generally, but they only moved the block exactly and only as far as our checking routine did not check. Well, the first time I thought it might be a coincidence and I also added a check to the moved block. But a few days afterwards, in new Hilot variants, this significant block shifted again and again only by the necessary amount of bytes to avoid our detection. This scenario has since repeated eight times (and I think it will never stop) and that can’t be a coincidence IMO. Sometimes, I even think that Hilot authors are continuously reversing our detection. It’s a precise approach, but if someone reads our detections, who’s the cat and who’s the mouse?

The logical conclusion for you is to always keep your AV and virus database up to date. No matter how efficient the heuristics and generic detections are, malware authors seem to be quite diligent when it comes to inventing new ways of tricking even the most proactive detections.

Categories: analyses, Virus Lab Tags: , ,
  1. July 31st, 2010 at 05:49 | #1

    Hi Michal,

    Whether Hilot attacks variant similar as like Kavo variants?
    Or whether Hilot variant more advanced in attacking?

    cheers,
    yanto chiang

  2. KHR
    July 31st, 2010 at 05:59 | #2

    Well well this seems to be something that can pick you on your nerve

  3. July 31st, 2010 at 15:25 | #3

    the forum says to press back button and enter CAPTCHA again if you forget to type it in, but at least on IE/Vista it doesn’t keep the message you had written and have to write it again :(

  4. July 31st, 2010 at 15:28 | #4

    what I was trying to write before was that you could maybe have a random extra offset till where you check or something

  5. August 1st, 2010 at 21:05 | #5

    @yanto chiang
    Hilot is not a critical type of malware. Hilot seems to be a successor of Virtumonde.

  6. pr_presence
    August 2nd, 2010 at 05:19 | #6

    thank u all @ avast for your service :)

  7. Clint
    August 3rd, 2010 at 04:40 | #7

    HI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.

    Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
    talk to you later.

  8. August 3rd, 2010 at 16:01 | #8

    good

  9. August 3rd, 2010 at 16:06 | #9

    HIHI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.

    Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
    talk to you later.
    Avast staff I would just love to say that I like surfing the internet since

  10. August 3rd, 2010 at 16:07 | #10

    Avast staff I would just love to say that I like

  11. August 3rd, 2010 at 16:09 | #11

    good serviess and avast

  12. Derek
    August 3rd, 2010 at 17:47 | #12

    I recently suspected that I have a malware virus in C:\WINDOWS\System32\svchost.exe as this consumes a large amount of my available memory, approx. 80,000 K. I began to experience annoying full screen pop ups as well. This morning my Avast has detected four attacks from svchost.exe but I could not locate this file in my directory so I ran a scan for C:\WINDOWS but nothing was found. The object is 213.174.149.103/td?aid=A91469&said=20195&q= which is a URL:Mal My question is, how can I get rid of/stop these attacks.

  13. Vitor
    August 4th, 2010 at 00:09 | #13

    Hi there,

    I’m frequently getting unnecessary CHKDSK runs at startup (Win 7 x64), and I believe it could be caused by avast! somehow (as per the information on this thread: http://superuser.com/questions/106201/chkdsk-at-boot-time-on-windows-7-without-a-reason )
    Drivers are discarded because I’ve been running pretty much the same drivers for a very long (except for Catalyst), and this problem has just recently started.

    Sorry for posting this here, I just couldn’t find a better place to do so.

  14. Tom
    August 4th, 2010 at 00:57 | #14

    A little off topic but I would like to see more posts like this one from the developers on this blog. The last blog was quite a long time ago.

  15. August 5th, 2010 at 08:48 | #15

    Derek :
    I recently suspected that I have a malware virus in C:\WINDOWS\System32\svchost.exe as this consumes a large amount of my available memory, approx. 80,000 K. I began to experience annoying full screen pop ups as well. This morning my Avast has detected four attacks from svchost.exe but I could not locate this file in my directory so I ran a scan for C:\WINDOWS but nothing was found. The object is 213.174.149.103/td?aid=A91469&said=20195&q= which is a URL:Mal My question is, how can I get rid of/stop these attacks.

    Hi Derek,

    You may visit to : hxxp://forum.avast.com/index.php?board=4.0

    At this forum, you will assisted by virus or malware fighter.

    cheers,
    yanto chiang

  16. John
    August 6th, 2010 at 14:52 | #16

    Help! I don’t know where else to ask this. I have the free edition and it says it “cannot connect to server” for virus definition updates. What can I do?

  17. August 6th, 2010 at 19:47 | #17

    hi

  18. jim
    August 6th, 2010 at 23:01 | #18

    @Derek

    look in c:\documents and settings\yourname\local settings\temp (XP)
    there are fake svchosts now. No .exe or dll should run from here.

  19. droudgar
    August 7th, 2010 at 09:42 | #19

    I need antivirous file

  20. August 9th, 2010 at 06:32 | #20

    Avast, can u please develop avast 4.8, Im still using it and i found out that 4.8 is better than 5

  21. August 9th, 2010 at 06:33 | #21

    Any one? Can u help me or give me a tips to remove Win32 Malware gen? Pls help me!!!

  22. WIlliam Thieme
    August 9th, 2010 at 14:20 | #22

    @George Birbilis Why are you using IE?!? (Or Vista for that matter but that I can understand more)

  23. WIlliam Thieme
    August 9th, 2010 at 14:23 | #23

    @John
    You may have a virus blocking access to the avast servers… use the boot time scan option ()if on x86/32 bit) or reinstall windows!

  24. August 13th, 2010 at 07:39 | #24

    he Allied and the enemy submarine played a game of cat and mouse on checking up on each other’s whereabouts and supposed strategic plans.
    The hackers played a cat and mouse game with the computer’s system administrators: The hackers kept trying new tricks, and the system administrators kept mounting electronic defenses to prevent damage and catch the hackers

  25. August 15th, 2010 at 18:51 | #25

    Thanks Avast I’m been using it since the version 3.0 and I never had a problem before that I got malwares and other stuff in my computer not anymore :)

Comments are closed.