Python Delay makes Anti Virus Softwares Obsolete

[TopNotchPCLol]

(Before starting a description, this is not exactly news and I am not much of a writer, however I am posting it here including my sources. This issue, as-well as the IPv6 Router Advertisement flood needs to be resolved. This won't be the easiest to read however, anyone with some technical knowledge should be able to get the just of what I am saying)
 
Sam Bowne teaches Ethical Hacking at the City College San Francisco¹. Sam Bowne has done many talks at Defcon which can all be found on You Tube². Most recently Sam Bowne had his students modify & compile malware in Python into Windows executables³, thus making Virus Total.com unable to detect it(Virus Total does not use heuristics, as normal Anti Virus engines would) making the code effective against Anti Virus softwares with Behavioral Analysis options disabled(Which they very rarely are)⁴.  After having published his findings a Twitter follower by the name of Bobby 'Tables⁵ suggested to Sam Bowne that Behavioral Analysis really only watches the process for "a minute or two", suggesting that a simple delay in combination with Sam's original method could make both definitions obsolete by modifying the malicious code, compiling in Python, then switching it over to a Windows executable, leaving heuristics or "behavioral analysis" the only thing left to pick up the malicious code. To get around heuristics Sam simply used a delay after starting the process to in essence wait until the guards pass to do something malicious. 


The delay issue in itself actually worries me a fair bit more than, a slight modification of malicious code in Python. My suggestion for Anti Virus manufacturers is to offer users the flexibility on both how long heuristics will watch certain processes, and maybe even the intervals in which the Anti Virus software re-checks processes. Anti Virus Software such as ESET Nod32/Smart Security is already so light weight and efficient that, I could see myself having it watch processes for about an hour long still with minimal performance hits. If you are interested in watching a video on Sam Bowne demonstrating these concepts the link has been provided in the sources, as-well as a link to a video on IPv6 Router Advertisement Floods. 
 
 
 
 
 
 
Sources:
1: https://twitter.com/sambowne
 
2: https://www.youtube.com/results?search_query=Sam+Bowne+Defcon

 

3: http://samsclass.info/124/proj14/p8-av.htm

 

4: http://samsclass.info/124/proj14/norton.htm

5: https://twitter.com/info_dox

 

6: 

 

RA flood Videos:
RA flood hitting fortigate: 

RA flood discussion: 

[mr moose]

I am not a programmer, but it reeks to me of build a better mouse trap and they build a better mouse. 

[TopNotchPCLol]

I am not a programmer, but it reeks to me of build a better mouse trap and they build a better mouse. 

Yep same here, unfortunately this is a pitfall of the concept of Anti Virus software. As everyone kicks and screams in media outlets about needing "something else" they are correct. However dealing with this one issue regarding delays Would help a LOT. 

[Enderman]

python ftw!

[TopNotchPCLol]

python ftw!

Judging by the simplicity of the process used, I wonder if it takes off and becomes a major issue prompting Anti Virus companies to deal with the issue.

[ionbasa]

This is the problem with programming languages that are too high level. 

[Bsmith]

good old glorious python, time for python masterrace?

[Sidiox]

Well a few months ago I think it was said by some CEO of a antivirus company that they can't stop all malware anyway these days  and that they are becoming more and more about damage control, I see that statement returning when I see this kind of programming tricks.... Because these are the ones becoming public, I wonder how much earlier the truly "bad" hackers have found this out and how many more evil tricks they have.

[LucidMew]

The greatest anti-virus is common sense ^{or Linux :3}

[Misanthrope]

I don't really think this really makes anything obsolete: sure there is a delay and current antivirus software has to be modified but it's a matter of just using more resources to defeat that delay, and honestly resources are the one thing that we have plenty of right now, I'm looking at you 8 core processors that sit idle 80% of the time and only get used slightly for gaming (and No, we won't really do any video encoding that's just something we tell ourselves to justify those sexy extra cores and performance)

[brownninja97]

The greatest anti-virus is common sense ^{or Linux :3}

dont recommend linux, the more people that use it means the more likely there will be intrusions for it, thats why there are less intrusions on apple software because its not the most used operating system.

[TopNotchPCLol]

The greatest anti-virus is common sense ^{or Linux :3}

Common sense won't protect your network from a Coworkers important spreadsheet. You would still need Anti-Virus as another layer of security -- not the only one. As per Linux, it can be hit incredibly easily, it is just that Windows is a more profitable platform to attack, considering that it is currently, widely adopted by average consumers.

This is the problem with programming languages that are too high level. 

Good languages are always needed. Python is an excellent language, and many people learn Python as their first language. 

 

I don't really think this really makes anything obsolete: sure there is a delay and current antivirus software has to be modified but it's a matter of just using more resources to defeat that delay, and honestly resources are the one thing that we have plenty of right now, I'm looking at you 8 core processors that sit idle 80% of the time and only get used slightly for gaming (and No, we won't really do any video encoding that's just something we tell ourselves to justify those sexy extra cores and performance)

It does, because Sam unearthed this awhile ago, and there STILL isn't a patch, or fix for this issue. He has tried contacting several different Anti-Virus guys, as have I with no luck (Only luck I have is when x companies product won't update etc, etc)

[wpirobotbuilder]

dont recommend linux, the more people that use it means the more likely there will be intrusions for it, thats why there are less intrusions on apple software because its not the most used operating system.

If it happens, I expect a lot more shits being flipped by Linus Torvalds. Something to the effect of:

 

"Why did you commit that PoS code into this OS? It's broken, just broken."

[NoobsWeStand]

I love Sam Bowne. He makes ipv6 floods and hacking so enjoyable    

[KakaoDj]

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

[TopNotchPCLol]

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

I still use Anti Virus software, but I only stick with ESET now at this point (They asked me to send them information via Twitter now). I treat it as only another layer. 

[TopNotchPCLol]

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

Yes, I noticed posts get thousands of views yet this one is limping along. 

 

I love Sam Bowne. He makes ipv6 floods and hacking so enjoyable    

Yeah, I love listening to his talks even though it is more basic. I am not a hacker myself, however I am interested in it. I am seriously considering taking his Ethical Hacking class at the College he teaches in in the future to expand my skillset. For now I am taking an IT Technician course which should provide me with some valuable knowledge (Or be re-taught some of what I already learned, in a different approach)

[Linus_torvalds]

I use free anti-virus software and it's called LINUX!!!

[KakaoDj]

I use free anti-virus software and it's called LINUX!!!

hehehhehehe

this is bait

[Trik'Stari]

Can't you just set the anti-virus to constant scan?

[TopNotchPCLol]

Can't you just set the anti-virus to constant scan?

Not that I know of. Just to remind you, we are talking Heuristics Scanners / Real Time Scanners. Sorry for my late reply, I am busy moving into my new place.