Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 30th, 2010

Cat and mouse game

Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.

Let’s describe it with the Hilot case. This malware family is detected algorithmically by our engine and the detection can be called a generic detection (this means not with a fixed signature or checksum). Once the authors notice a higher detection rate of their binaries, they have decided to change the generator. What surprised me was the tight boundary to our detection. We have been checking some characteristics of a significant block inside the binary as a part of our detection process and this block is a part of our cat and mouse game. But,  the Hilot authors then shifted this significant block in response.  It would be not that surprising generally, but they only moved the block exactly and only as far as our checking routine did not check. Well, the first time I thought it might be a coincidence and I also added a check to the moved block. But a few days afterwards, in new Hilot variants, this significant block shifted again and again only by the necessary amount of bytes to avoid our detection. This scenario has since repeated eight times (and I think it will never stop) and that can’t be a coincidence IMO. Sometimes, I even think that Hilot authors are continuously reversing our detection. It’s a precise approach, but if someone reads our detections, who’s the cat and who’s the mouse?

The logical conclusion for you is to always keep your AV and virus database up to date. No matter how efficient the heuristics and generic detections are, malware authors seem to be quite diligent when it comes to inventing new ways of tricking even the most proactive detections.

Categories: analyses, Virus Lab Tags: , ,
  • http://www.ppinfotek.com yanto chiang

    Hi Michal,

    Whether Hilot attacks variant similar as like Kavo variants?
    Or whether Hilot variant more advanced in attacking?

    cheers,
    yanto chiang

  • KHR

    Well well this seems to be something that can pick you on your nerve

  • Pingback: Cat and mouse game | Security Antivirus Virus

  • http://birbilis.spaces.live.com George Birbilis

    the forum says to press back button and enter CAPTCHA again if you forget to type it in, but at least on IE/Vista it doesn’t keep the message you had written and have to write it again :(

  • http://birbilis.spaces.live.com George Birbilis

    what I was trying to write before was that you could maybe have a random extra offset till where you check or something

  • http://www.avast.com Michal Krejdl

    @yanto chiang
    Hilot is not a critical type of malware. Hilot seems to be a successor of Virtumonde.

  • pr_presence

    thank u all @ avast for your service :)

  • Clint

    HI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.

    Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
    talk to you later.

  • http://avast.com hariesh

    good

  • http://avast.com hariesh

    HIHI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.

    Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
    talk to you later.
    Avast staff I would just love to say that I like surfing the internet since

  • http://avast.com hariesh

    Avast staff I would just love to say that I like

  • http://avast.com hariesh

    good serviess and avast

  • Derek

    I recently suspected that I have a malware virus in C:\WINDOWS\System32\svchost.exe as this consumes a large amount of my available memory, approx. 80,000 K. I began to experience annoying full screen pop ups as well. This morning my Avast has detected four attacks from svchost.exe but I could not locate this file in my directory so I ran a scan for C:\WINDOWS but nothing was found. The object is 213.174.149.103/td?aid=A91469&said=20195&q= which is a URL:Mal My question is, how can I get rid of/stop these attacks.

  • Vitor

    Hi there,

    I’m frequently getting unnecessary CHKDSK runs at startup (Win 7 x64), and I believe it could be caused by avast! somehow (as per the information on this thread: http://superuser.com/questions/106201/chkdsk-at-boot-time-on-windows-7-without-a-reason )
    Drivers are discarded because I’ve been running pretty much the same drivers for a very long (except for Catalyst), and this problem has just recently started.

    Sorry for posting this here, I just couldn’t find a better place to do so.

  • Tom

    A little off topic but I would like to see more posts like this one from the developers on this blog. The last blog was quite a long time ago.

  • http://www.ppinfotek.com yanto chiang

    Derek :
    I recently suspected that I have a malware virus in C:\WINDOWS\System32\svchost.exe as this consumes a large amount of my available memory, approx. 80,000 K. I began to experience annoying full screen pop ups as well. This morning my Avast has detected four attacks from svchost.exe but I could not locate this file in my directory so I ran a scan for C:\WINDOWS but nothing was found. The object is 213.174.149.103/td?aid=A91469&said=20195&q= which is a URL:Mal My question is, how can I get rid of/stop these attacks.

    Hi Derek,

    You may visit to : hxxp://forum.avast.com/index.php?board=4.0

    At this forum, you will assisted by virus or malware fighter.

    cheers,
    yanto chiang

  • John

    Help! I don’t know where else to ask this. I have the free edition and it says it “cannot connect to server” for virus definition updates. What can I do?

  • http://15874 almk

    hi

  • jim

    @Derek

    look in c:\documents and settings\yourname\local settings\temp (XP)
    there are fake svchosts now. No .exe or dll should run from here.

  • droudgar

    I need antivirous file

  • http://www.avast.com Aldrin Diaz

    Avast, can u please develop avast 4.8, Im still using it and i found out that 4.8 is better than 5

  • http://www.avast.com Aldrin Diaz

    Any one? Can u help me or give me a tips to remove Win32 Malware gen? Pls help me!!!

  • WIlliam Thieme

    @George Birbilis Why are you using IE?!? (Or Vista for that matter but that I can understand more)

  • WIlliam Thieme

    @John
    You may have a virus blocking access to the avast servers… use the boot time scan option ()if on x86/32 bit) or reinstall windows!

  • http://www.viatusinfotech.com software companies

    he Allied and the enemy submarine played a game of cat and mouse on checking up on each other’s whereabouts and supposed strategic plans.
    The hackers played a cat and mouse game with the computer’s system administrators: The hackers kept trying new tricks, and the system administrators kept mounting electronic defenses to prevent damage and catch the hackers

  • http://www.beckerstspc.net Caribe88

    Thanks Avast I’m been using it since the version 3.0 and I never had a problem before that I got malwares and other stuff in my computer not anymore :)