flat assembler
Message board for the users of flat assembler.

Index > Heap > i wasted my today with killing ...

Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author
Thread Post new topic Reply to topic
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Can rootkits get installed with a Sandbox, this seems kinda stupid. If they can bypass the APIs to install themselves then so can the anti-virus bypass their modified APIs.
That's like saying "if you can climb out of one pit, then anyone can climb out of any pit". Razz
Post 28 Jul 2009, 00:05
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
No I mean if I have a Sandbox which redirects all APIs to that when I browse how can the rootkit get installed on the "real" drive? That would be like breaking out of a virtual machine to install on a real drive, would it not?

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 00:08
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
No I mean if I have a Sandbox which redirects all APIs to that when I browse how can the rootkit get installed on the "real" drive? That would be like breaking out of a virtual machine to install on a real drive, would it not?
If you sandbox everything perfectly and in its own sandbox, then obviously malware would only be able to control whatever program is in that sandbox.. the instant you open that sandbox (i.e. download and execute a file from it) everything in the sandbox escapes, though.
Post 28 Jul 2009, 00:10
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Well I only get stuff out of the Sandbox that I download willingly and delete it after.

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 00:22
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Well I only get stuff out of the Sandbox that I download willingly and delete it after.
Ya.. and which the malware will have latched onto within the Sandbox, and thus infect you when you take it out and run it..
Post 28 Jul 2009, 00:24
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
If it's an .exe, I test it in a Sandbox before I use (and this is a different sandbox than before). How can you latch onto a .rar or .zip, which are 90% of my downloads? Confused (especially .rars with passwords)

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 00:25
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
If it's an .exe, I test it in a Sandbox before I use (and this is a different sandbox than before). How can you latch onto a .rar or .zip, which are 90% of my downloads? Confused (especially .rars with passwords)
By modifying ones that aren't passworded or have weak passwords, and replacing the rest with new ones of similar size and hoping you run them?
Post 28 Jul 2009, 00:28
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Run what, the .zip?? I can only extract such file.
Besides, if it had equal size it would be difficult to still have the original application (with compression and all that), since I never downloaded an app that didn't work or something like that. (at least not intentionally).
Post 28 Jul 2009, 00:29
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Run what, the .zip?? I can only extract such file.
No, whatever is in the zip..



Borsuc wrote:
Besides, if it had equal size it would be difficult to still have the original application (with compression and all that), since I never downloaded an app that didn't work or something like that. (at least not intentionally).
There are plenty of currently in-the-wild viruses that don't change file size, modification date, or crc32/md5 hashes.


This is a non-issue though since you are most likely being told what sizes and such to expect from.. the breached browser. Oopsy Wink
Post 28 Jul 2009, 00:33
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
There are plenty of currently in-the-wild viruses that don't change file size, modification date, or crc32/md5 hashes.
No you do not understand, this isn't the .exe file I'm talking about. I'm talking about the .zip.

If the .zip file has 100,000 bytes exactly, with a compressed app inside, how can the virus easily result in the same size of the zip file when it adds itself to the app? It's virtually impossible, especially if the compression was at maximum, since it will likely result in a LARGER zip.

Azu wrote:
This is a non-issue though since you are most likely being told what sizes and such to expect from.. the breached browser. Oopsy Wink
I think this is just a bit paranoid. No scratch that, I think it's too paranoid. Razz

Let's see:

1) Sandbox the browser, get out only intentional downloads
2) Check zip file size (and rarely hash checksum if published on the site)
3) Sandbox the contents if it's an application, see if the app does something bad (this is a different sandbox and happens after the browser sandbox, i.e I simply test the app in a sandbox before I use it)

are you telling me this is not enough?

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 00:46
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Azu wrote:
There are plenty of currently in-the-wild viruses that don't change file size, modification date, or crc32/md5 hashes.
No you do not understand, this isn't the .exe file I'm talking about. I'm talking about the .zip.

If the .zip file has 100,000 bytes exactly, with a compressed app inside, how can the virus easily result in the same size of the zip file when it adds itself to the app? It's virtually impossible, especially if the compression was at maximum, since it will likely result in a LARGER zip.
???
Do you want me to actually write one up for you and post the source before it will be enough? Confused

Borsuc wrote:
Azu wrote:
This is a non-issue though since you are most likely being told what sizes and such to expect from.. the breached browser. Oopsy Wink
I think this is just a bit paranoid. No scratch that, I think it's too paranoid. Razz

Let's see:

1) Sandbox the browser, get out only intentional downloads
2) Check zip file size (and rarely hash checksum if published on the site)
3) Sandbox the contents if it's an application, see if the app does something bad (this is a different sandbox and happens after the browser sandbox, i.e I simply test the app in a sandbox before I use it)

are you telling me this is not enough?
Knowing that if the browser gets compromised, that information obtained from the browser may also be compromised, is paranoid? That makes no sense. I think you're misunderstanding something. I'll try to explain it all over again;




Even if your browser is in a perfect sandbox with nothing else in it etc etc etc, so that if the browser gets compromised nothing else on the computer is effected, the instant you take something out of the sandbox and run it it could take over your computer, regardless of hash checks or whatever, since when the browser has already been compromised then you will just get compromised hashes from the download sites.. and the download will be compromised, and match the hash or size or whatever the hell you check against from the site.

As for moving what you download into a sandbox and running it, this is only useful if the problem is noticable, and isn't delayed, and doesn't only happen 1 out of some high number of times, etc etc..


Last edited by Azu on 28 Jul 2009, 01:03; edited 1 time in total
Post 28 Jul 2009, 00:59
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Nah you don't even have to write one, just give me 2 zip files with the same app inside (except one has something added to it, the virus) and the same zip filesize. Maximum compression on the original.

As for the browser being compromised, how can it be and infect ALL downloads since this largely depends on zip file -- it is bound to make a mistake. Plus, like I said, I clean the browser sandbox every day (it's on a ramdisk anyway).

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 01:02
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
Even if your browser is in a perfect sandbox with nothing else in it etc etc etc, so that if the browser gets compromised nothing else on the computer is effected, the instant you take something out of the sandbox and run it it could take over your computer, regardless of hash checks or whatever, since when the browser has already been compromised then you will just get compromised hashes from the download sites.. and the download will be compromised, and match the hash or size or whatever the hell you check against from the site.
Man, what do you mean, you think the virus knows what to modify on a site's view and where the "checksum" of the file is being published? That sounds like an advanced bot capable of even getting email addresses formatted ambiguously, sorry but I think it's just too paranoid.

Would be cool to go even further and use 2 different browsers on the same page to look for inconsistencies but I think it is too much already. Confused

It's just HARD to make a general-purpose virus like this. Too hard.
Remember it has to work on ALL zip files out there and rar files. I find it too paranoid.

Azu wrote:
As for moving what you download into a sandbox and running it, this is only useful if the problem is noticable, and isn't delayed, and doesn't only happen 1 out of some high number of times, etc etc..
yeah agreed but most times I actually do it to see if the app fucks up my registry, not for viruses Razz

_________________
Previously known as The_Grey_Beast


Last edited by Borsuc on 28 Jul 2009, 01:07; edited 1 time in total
Post 28 Jul 2009, 01:05
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Nah you don't even have to write one, just give me 2 zip files with the same app inside (except one has something added to it, the virus) and the same zip filesize. Maximum compression on the original.
????

Do you even know what a virus is?
The whole, spread to other files and infect them without making it obvious you've done so, is the main part of making a virus, not the payload, which is generally trivial in comparison to the engine of the virus.

Borsuc wrote:
As for the browser being compromised, how can it be and infect ALL downloads since this largely depends on zip file -- it is bound to make a mistake. Plus, like I said, I clean the browser sandbox every day (it's on a ramdisk anyway).
By your browser being compromised on the same day you download something..
Post 28 Jul 2009, 01:05
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
????

Do you even know what a virus is?
The whole, spread to other files and infect them without making it obvious you've done so, is the main part of making a virus, not the payload, which is generally trivial in comparison to the engine of the virus.
Dude that is in the application, not the zip!
It's impossible to get the same zip filesize while adding something to an exe. The statistical probability (from the Deflate algorithm) is less than 1/1000 and that's being generous.
ESPECIALLY if the virus has no idea what the zip is about, i.e it is made to work with all zips, general-purpose.

Viruses infect .exe files, not .zips. If they do infect .zip files, they will change the size. My bet is, bigger.

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 01:09
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Azu wrote:
????

Do you even know what a virus is?
The whole, spread to other files and infect them without making it obvious you've done so, is the main part of making a virus, not the payload, which is generally trivial in comparison to the engine of the virus.
Dude that is in the application, not the zip!
It's impossible to get the same zip filesize while adding something to an exe. The statistical probability (from the Deflate algorithm) is less than 1/1000 and that's being generous.
ESPECIALLY if the virus has no idea what the zip is about, i.e it is made to work with all zips, general-purpose.

Viruses infect .exe files, not .zips. If they do infect .zip files, they will change the size. My bet is, bigger.
The contents of the zip obviously, not the zip itself. Sheesh.
Post 28 Jul 2009, 01:12
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Yes exactly. And that will change the size of the zip file, unless the virus deletes something from the app. It's is nearly impossible to add something to a file and get the same output in compression or less. More likely, you will get a bigger file (zip I mean, not exe).

Because I look at zip sizes, not the exe's size. Wink

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 01:18
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Yes exactly. And that will change the size of the zip file, unless the virus deletes something from the app. It's is nearly impossible to add something to a file and get the same output in compression or less. More likely, you will get a bigger file (zip I mean, not exe).

Because I look at zip sizes, not the exe's size. Wink
If the virus' engine is some relic from 1980 rather than something modern, sure.

But anyways, as we've already established, this is all completely besides the point since whatever size information you get is itself going to be compromised by the infection.
Post 28 Jul 2009, 01:21
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
But anyways, as we've already established, this is all completely besides the point since whatever size information you get is itself going to be compromised by the infection.
Nah. The size is usually on the site, and it's too paranoid to say it can change exactly that without messing anything up and it works on ALL sites. This would be like saying that a virus can recognize the following email address scattered in a site: octa ____ rone @ (anti-spam);yahoo Razz
(still waiting to see if I get spam from this Wink)

Plus, the size is given before the file is downloaded. The virus has no way to know the contents of the file to predict the size after it adds itself. At least, not until the file is downloaded. To give a wrong size beforehand it has to know in advance the contents of the file, so it can calculate how much it'll add up. But it doesn't.

_________________
Previously known as The_Grey_Beast
Post 28 Jul 2009, 01:50
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Azu wrote:
But anyways, as we've already established, this is all completely besides the point since whatever size information you get is itself going to be compromised by the infection.
Nah. The size is usually on the site, and it's too paranoid to say it can change exactly that without messing anything up and it works on ALL sites. This would be like saying that a virus can recognize the following email address scattered in a site: octa ____ rone @ (anti-spam);yahoo Razz
(still waiting to see if I get spam from this Wink)

Plus, the size is given before the file is downloaded. The virus has no way to know the contents of the file to predict the size after it adds itself. At least, not until the file is downloaded. To give a wrong size beforehand it has to know in advance the contents of the file, so it can calculate how much it'll add up. But it doesn't.
Wow. You actually believe that it would be infeasible just to recognize some file sizes and change them a little?

Ignorance is bliss I suppose, until someone takes advantage of it and leaves you devastated.
Post 28 Jul 2009, 01:58
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.