flat assembler
Message board for the users of flat assembler.

Index > Heap > i wasted my today with killing ...

Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author
Thread Post new topic Reply to topic
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Azu wrote:
Or take the compression algorithm into account..
huh?

zip needs to be repackaged if you add files because the filetable is stored at the end.

Azu wrote:
How can I make this more clear; you have no reason to assume it would be hard for any modern virus to keep your stupid little zip file the same size as well, but this is completely besides the point since guess what, you get your stupid size thing from the website, which is rendered by the browser! OOPS!
...which I said countless times that I verify files manually with a Hex Editor, both the zip itself AND the shit in it. Any padding would be OBVIOUS to me. If it adds garbage at the end of a zip, I can see that. If it adds it at the end of an exe, I can see that too.

Plus I have said COUNTLESS times that it doesn't know the file's contents in advance, so in 6+ years of being vulnerable to viruses (yeah right Rolling Eyes), I should have gotten AT LEAST one padded file, like a text file with spaces, don't you think?

Azu wrote:
Practical measures would be to stop using a POS like IE6 that is filled with holes, and an AV just in case.
funny that you mention it since I'm using Firefox with NoScript addon (again, which disables JS for sites I don't allow, so any hidden redirects' script gets blocked).

Azu wrote:
If it's tacked on blindly to the end, AND doesn't resemble a normal zip file ending..
The zip ends with the filetable, you can easily recognize it Wink

Azu wrote:
Have fun with gullibility. You do know that software can tell when there is network activity, right? It would be trivial to make a keylogger only phone home during peak network usage.
Well I have lots of fun Smile

In 6+ years I haven't lost ONE account because of password or keylogging. My computer has NEVER EVER acted weird (in the sense with random reboots or something like what damaging viruses, not spyware, do).

So exactly why shouldn't I have fun?

Oh right, I should unplug my internet connection.

And regarding network activity this virus would have to be a real piece of shit to get past 2 freaking firewalls, both third-party (so the virus would have to be especially designed for this configuration to infect them correctly!!), because the firewalls ALSO tells me the network activity AND which application transmits what.

Of course the reason I didn't include it in the modem led is because, due to extreme paranoia around here, I assumed that this awesome virus infected them both 100% undetectably without any trace or mistake (I would have noticed in 6 years don't you think? at least something).

I appreciate this discussion up to a certain point because I know that viruses can do many things, but getting through Firefox+NoScript (that is, JS can be rarely used), an application download the exact same day the virus has infected the browser (I don't download apps every day for instance), 2 sandboxes, 2 firewalls, flawless files (not once have I seen padding), manual inspection via hex editors AND password protected rar files (impossible) is kinda...

paranoid Very Happy

_________________
Previously known as The_Grey_Beast
Post 29 Jul 2009, 01:55
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Azu wrote:
Or take the compression algorithm into account..
huh?
If it's some known compression algorithm then the virus knows which changes to the files in it will make which changes (if any) to the size of the archive, and can thus make the contents and the archive itself stay the same size without even having to do time-consuming trial and error. Then it doesn't even have to find the size on the website and change it. Wink

Borsuc wrote:
Azu wrote:
How can I make this more clear; you have no reason to assume it would be hard for any modern virus to keep your stupid little zip file the same size as well, but this is completely besides the point since guess what, you get your stupid size thing from the website, which is rendered by the browser! OOPS!
...which I said countless times that I verify files manually with a Hex Editor, both the zip itself AND the shit in it. Any padding would be OBVIOUS to me. If it adds garbage at the end of a zip, I can see that. If it adds it at the end of an exe, I can see that too.
Do you honestly think the only way to increase the size of something is to add a string of zeros to the end or something? You are assuming that it would be added in a place you know to look (i.e. at the very end), and that you will be able to recognize it (i.e. that it won't make it look similar to how the end of a zip file normally looks). Bad assumptions.

Borsuc wrote:
Plus I have said COUNTLESS times that it doesn't know the file's contents in advance, so in 6+ years of being vulnerable to viruses (yeah right Rolling Eyes), I should have gotten AT LEAST one padded file, like a text file with spaces, don't you think?
I addressed this countless times already.

Borsuc wrote:
Azu wrote:
Practical measures would be to stop using a POS like IE6 that is filled with holes, and an AV just in case.
funny that you mention it since I'm using Firefox with NoScript addon (again, which disables JS for sites I don't allow, so any hidden redirects' script gets blocked).
Firefox is on the holey side as well.
Anyways, I'm not sure how "hidden redirect scripts" are relevant to this conversation. And not all vulnerabilities are from JS. And trusted websites get compromised by malware, anyways, so even if all vulnerabilities WERE from JS you'd still be gullible to think you're invincible.

Borsuc wrote:
Azu wrote:
If it's tacked on blindly to the end, AND doesn't resemble a normal zip file ending..
The zip ends with the filetable, you can easily recognize it Wink
Yep, and just as easily make padding that looks like it Wink or put padding somewhere else. Like I just said, in my post that you replied to without reading.

Borsuc wrote:
Azu wrote:
Have fun with gullibility. You do know that software can tell when there is network activity, right? It would be trivial to make a keylogger only phone home during peak network usage.
Well I have lots of fun Smile
Smile

Borsuc wrote:
In 6+ years I haven't lost ONE account because of password or keylogging. My computer has NEVER EVER acted weird (in the sense with random reboots or something like what damaging viruses, not spyware, do).
Lucky you.

Borsuc wrote:
So exactly why shouldn't I have fun?

Oh right, I should unplug my internet connection.
That was random.

Borsuc wrote:
And regarding network activity this virus would have to be a real piece of shit to get past 2 freaking firewalls, both third-party (so the virus would have to be especially designed for this configuration to infect them correctly!!), because the firewalls ALSO tells me the network activity AND which application transmits what.
Right, assuming it's not a rootkit, not making use of a trusted application, and transmits everything in plain text for you to see. You base your security on a lot of blind assumptions.

Borsuc wrote:
Of course the reason I didn't include it in the modem led is because, due to extreme paranoia around here, I assumed that this awesome virus infected them both 100% undetectably without any trace or mistake (I would have noticed in 6 years don't you think? at least something).
Assuming you didn't miss anything, assuming you haven't just been lucky, and assuming the malware has obvious, visible effects, and was active at the moment you were looking for signs.. or you could just admit that your solution is feasibly vulnerable to attack.
Post 29 Jul 2009, 02:17
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Borsuc wrote:
If you add artificial stuff to the end of a zip file I will notice that when I view it with the Hex Editor.

[...]

The zip ends with the filetable, you can easily recognize it

By "the end of the file" I meant at the end of the compressed chunk, not in the metadata, duh!
Ok, so how does using a hex editor help you differentiate between genuine compressed data and random stuffing that looks exactly like genuine compressed data? Unless, of course, you also check the entire metadata in the header/tail of every single archive you have against the MBs of compressed data (for every file in the archive) to find a few unaccounted-for malicious KBs. You wouldn't by chance have a LempelZiv or similar decoder embedded in your brain, would you?
I prefer looking for a needle in a haystack. But that's just me.


Borsuc wrote:
Besides this isn't about adding to the zip, because the size will already be bigger, it's about making it smaller without removing functionality (I would notice that).

Fine, so we don't artificially modify the .zip file size on the disk. You still wouldn't notice a few-KBs-small change, caused by a modification of the contained files, when most websites only give you the size in MBs.
Here's a very simple example. Take a big file (the .zip file you're downloading). Take a random .exe file 20KBs big (the virus that would be injected in an existing .exe in the .zip) and compress it. I got 2KBs here. Let's say the original .zip is 91536588 bytes. After the infection, the archive grew to 91538636 bytes. Both files would show as 87.2MBs on Rapidshare, Download.com, etc. Tada!


Borsuc wrote:
Plus, sometimes I download text.

Aha, very interesting. What are we talking about now? Viruses or word processors?


Borsuc wrote:
if it pads the text file with junk, I would very easily notice THAT. Didn't happen to me yet.

Of course it didn't and will never happen! No virus writer is idiot enough to corrupt your .txt files, or any other file with human-readable content, and more importantly any file that can't be a vector of the virus' reproduction Rolling Eyes
Viruses check everything before doing anything, just like they don't bother re-infecting an already infected target.


Borsuc wrote:
My modem has a led when activity gets through

Typical viruses do not use the network. They reproduce through removable disks, and since the widespread of the Internet, through user-initiated network file transfers. Other types of malware use your network connection to receive/send whatever information the creator/bot wants. They do so when you're using your connection, i.e. when your LEDS are flashing like hell. And they do it in stealthy ways, including hijacking your firewall(s), network HAL drivers, or even injecting their code LIVE into trusted processes like services (Services and Controller app), svchost (Generic Host Process for Win32 Services) or Windows Explorer.


Borsuc wrote:
This viruses I have must be sleeping or something. I mean I obviously have a viruses, the chances are 90%, right?

All we're talking about here is quite theoretical. We're talking about the infinite possibilities when it comes to security. No one in this thread ever told you that YOUR machine precisely was 0wn3d! Laughing


Borsuc wrote:
If it adds it at the end of an exe, I can see that too.

Not at the end of the .exe, but at the end of any executable section, or even at random empty places.


Borsuc wrote:
getting through Firefox+NoScript (that is, JS can be rarely used)

JS attacks are only online attacks using a vulnerability/design flaw in the browser/JS interpretor. There are dozen other types of attacks with many different vectors. Online JS attacks are like 1/1000.


Borsuc wrote:
password protected rar files

Hum, so ALL the archives that you download are encrypted? How are you able to impose that on every download, file sharing and P2P website/network you visit?


Last edited by ManOfSteel on 29 Jul 2009, 12:24; edited 1 time in total
Post 29 Jul 2009, 12:17
View user's profile Send private message Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
Drhowarddrfine wrote:
...RealTek supplies the driver for the DL on their web site.
Gosh, I really am demented.....Thanks for the link. I had visited the same site last week, and for some reason, I saw NOTHING about Linux/BSD/UNIX. NIL. Nada. Only M$.
The driver is definitely there. No hallucinations, at least not about this!
I will download it, and reinstall the OS, and try again this weekend....
Thanks very much for your help....
tom
Smile
Post 29 Jul 2009, 12:18
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
bump
Post 29 Jul 2009, 12:23
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
@Tom
You may have missed my post here: http://board.flatassembler.net/topic.php?p=98447#98447
Post 29 Jul 2009, 12:31
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
ManOfSteel wrote:
By "the end of the file" I meant at the end of the compressed chunk, not in the metadata, duh!
Ok, so how does using a hex editor help you differentiate between genuine compressed data and random stuffing that looks exactly like genuine compressed data? Unless, of course, you also check the entire metadata in the header/tail of every single archive you have against the MBs of compressed data (for every file in the archive) to find a few unaccounted-for malicious KBs. You wouldn't by chance have a LempelZiv or similar decoder embedded in your brain, would you?
I prefer looking for a needle in a haystack. But that's just me.
You can test an archive for integrity.

Besides, Azu, I'm not lucky. I'm just basing it on good statistical probabilities. Let me ask you this: do casinos "guarantee" profit? (after all they have the 'house edge')? No, if you are paranoid. Of course they still are in business, guess why? Wink

ManOfSteel wrote:
Aha, very interesting. What are we talking about now? Viruses or word processors?
No I mean, the virus can't know if a file is text or something else before you download, and thus, to give you a "safe" size to put itself to an archive (in the case of archive) it needs to make the preview size a little bigger. In text, this would lead to, probably, padded with spaces. Which I would notice.

In the other case in which you mentioned, they must know the file type in advance. The browser sends me the size of the file BEFORE download and I check it. If that is corrupted, it will also corrupt text files, since it has no way to know if it's text or archive.

ManOfSteel wrote:
JS attacks are only online attacks using a vulnerability/design flaw in the browser/JS interpretor. There are dozen other types of attacks with many different vectors. Online JS attacks are like 1/1000.
Such as? I mean in an up-to-date config of course, like mine. Remember flash is also JS or at least NoScript blocks it just like JS anyway.

Besides, for this virus to infect everything it would have to:

1) infect Firefox+NoScript perfectly
2) infect the Sandbox downloaded apps flawlessly
3) infect archives even while not having suspicious size difference
4) infect both my firewalls, which is ridiculous, considering it would have to be specifically made for this configuration I have (the firewalls don't use high-level Windows APIs, they are device drivers).
5) finally, it must also NOT TRIGGER on the first few runs because I TEST all of my apps in a second Sandbox before i use. (and not only once but several times!)

The odds of such theoretical situation are, to me, ridiculously low. I think I have a bigger chance getting an accident or something than this. Wink

not to mention that usually when I download apps, I visit only "trusted" sites, and the sandbox gets deleted after anyway (along with any possible virus).

ManOfSteel wrote:
Hum, so ALL the archives that you download are encrypted? How are you able to impose that on every download, file sharing and P2P website/network you visit?
No, but since the virus has to ADD shit on downloaded archives (non-encrypted) and it has to give you the SIZE before download begins, it would have to add junk to these encrypted files which would render invalid signature. Wink

_________________
Previously known as The_Grey_Beast
Post 29 Jul 2009, 18:52
View user's profile Send private message Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
ManOfSteel wrote:
...You may have missed my post here:

yes, I did. Sorry,
THANKS for the message, and link, both much welcomed.
I am about half way through the download of BSD 7.2....I hope to get started this weekend.
I appreciate your kind hearted rejoinder, very well done....
regards,
tom
Post 29 Jul 2009, 18:56
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
@ Tom

I don't know how familiar you are with FreeBSD, but you should know it has no GUI by default (like most Linux distros).
However, if your read the manual (chapter 5 for X11), you'll find it's quite easy to install and configure Xorg and any of the available window managers/desktop environments.

If you have any problems, you can always subscribe to the official forums. There are many very helpful people there, including developers.

BTW, 8.0 is already in beta 2 stage and should be released at the end of next month, so if you have problems under 7.2 (hardware or other), you might still have some chances with 8.0.
Post 30 Jul 2009, 11:27
View user's profile Send private message Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
Thanks very much for these tips, I will go to the forum, I have already copied, onto a separate cdrom, the entire documentation, I hope to have time to try it out this weekend.
Post 30 Jul 2009, 11:36
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
To end the virus debate, I was thinking that I forgot to tell I also scan the apps with virustotal or other online scanner with many anti-viruses before use.

That's the best I can do.
Post 30 Jul 2009, 13:25
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
Borsuc wrote:
To end the virus debate

Already?


Borsuc wrote:
You can test an archive for integrity.

This is a joke, right? Just like your compression software can rename, add, remove, modify and recompress files inside an archive, a virus can do exactly the same without losing integrity.
The idea is to use a random file in the archive as "turkey" for our stuffing ( Cool ) by appending random data to it. It's preferable that the "turkey" be one of the last files in the archive, so that recompression is almost instantaneous.
Basically, all we have to do is recreate the CRC and compressed size for our "turkey" file, both in the Central Directory File Header and in the Local File Header. Of course, we keep the modification date/time and uncompressed size intact! Then we append our stuffing.
The result? The CRC for our "turkey" being valid, any integrity check will succeed. The modified compressed size ensures the entire "turkey+stuffing" size is taken into account, and the unmodified uncompressed size ensures the extracted file is free of stuffing and valid. Voila!
But I already gave you an example showing it's not even necessary to grow the archive artificially, so the whole point is moot.


Borsuc wrote:
the virus can't know if a file is text or something else before you download, and thus, to give you a "safe" size to put itself to an archive (in the case of archive) it needs to make the preview size a little bigger.

So what? Not only can a virus know the entire contents of an archive before you download it simply by reading the file table remotely (check the source of any HTTP downloader written in ASM to see how easy it is), but actually, it doesn't really need to. It doesn't even need to manipulate what you see (even though it's very possible to do, not so difficult and still very interesting experimentally).

The virus writer knows his viruses are X KBs big, and knows most file storage services, download websites, etc. only show file size in MBs. The bigger the downloaded files, the easier to hide a few malicious KBs.

Also, the virus can infect the .zip after it has been downloaded to your "sandbox". It can hook the CloseHandle API, and infect the archive once it's closed by your download manager or browser's "Save As", i.e. before you can even view its contents for the first time.
It could also quite easily check the integrity of the archive so as to not infect it if you just paused the download for later resuming.


Borsuc wrote:
In text, this would lead to, probably, padded with spaces. Which I would notice.

WHY WOULD IT EVEN TOUCH YOUR TEXT FILES?


Borsuc wrote:
Such as? I mean in an up-to-date config of course, like mine. Remember flash is also JS or at least NoScript blocks it just like JS anyway.

There are as many types of attacks as there are types of vulnerabilities and design flaws, and there are as many of those (whether potential or actual) as there are operating systems, drivers, software, etc, and different combinations of these. It's an ever-growing multi-volume encyclopedia.

The Flash interpreter is not JS at all. It's a browser plugin/extension that loads .swf files using the flash class with an object tag for the CLSID, an embed tag for the .swf file and a MIME type of application/x-shockwave-flash, without any bit of JS. The thing is some browsers (e.g. Firefox) mix JS and plugins and en/disable both at the same time. Opera, OTOH, does it separately.

While we're talking about JS: years ago, there was a vulnerability in the thumbnails view in Windows Explorer that allowed the execution of malicious code through JS contained in... .zip files comments!
The vulnerability was fixed, but how many more similar ones are still there, waiting to be exploited? How many have already been discovered by organized criminals and are being jealously kept secret?


Borsuc wrote:

Besides, for this virus to infect everything it would have to:

1) infect Firefox+NoScript perfectly
2) infect the Sandbox downloaded apps flawlessly
3) infect archives even while not having suspicious size difference
4) infect both my firewalls, which is ridiculous, considering it would have to be specifically made for this configuration I have (the firewalls don't use high-level Windows APIs, they are device drivers).
5) finally, it must also NOT TRIGGER on the first few runs because I TEST all of my apps in a second Sandbox before i use. (and not only once but several times!)

1) Not necessarily...
2) Just as easy as infecting files outside a sandbox. Done a few billion times, on millions of computers around the world, by x0,000 viruses, since the early 80ies.
3) Straightforward, as explained above. Has already been done before with many types of archives including system cabinet files (.cab).
4) Completely irrelevant, since this is a virus not a worm, trojan, keylogger, etc. The infection happens on your computer (in the sandbox) AFTER packets have been converted to files. But theoretically, it would still be possible for other types of malware to fool and bypass ANY firewall or IDS using a library of vulnerabilities like some security audit tools do, and even "collaborate" with a virus (a similar thing has been done with Mydoom.A<->Doomjuice).
And what about the "device drivers" thing? Malware could infect .sys files on disk if you're running -- as most people -- with administrator privileges (which eventually happens anyway when you want to run a setup) or just hijack them in memory and inject malicious code.
5) Many viruses have a scheduled activation (e.g. creator's birthday, 17th of every month, date of some historical event). Heck, it could delay the payload execution to 3 months after the first infection.


Borsuc wrote:
not to mention that usually when I download apps, I visit only "trusted" sites

Sure, trusted websites that can be compromised at any time, like history has repeatedly shown. Trusted websites that RELY on the same TOOLS as YOU.

Here's some news for you: Kaspersky, considered the "best" by a security expert compared to the more known AVs, blocks 90% of the "new" malware. Note that many "new" malware are only variants of existing ones and are easy to detect compared to really new ones, so 90% looks artificially inflated to me. Also what about the last 10% that never got detected? What about unknown viruses and 0 day attacks?

Even better, "the most popular brands of antivirus on the market ... have an 80 percent miss rate" and "Although less popular antivirus applications are more likely to pick up new malware, Ingram said that the average level of new malware that is undetected is 60 percent" (source).

Polymorphic/stealthy/encrypted viruses have been laughing at AV heuristics for the last decade at the very least. A year ago, I did an experiment: I downloaded a random sample of 100 or so well-known (i.e. in the wild), new and old malware, and scanned them with every AV software I could get my hands on. I don't remember the numbers exactly, but at least a dozen were not found by any AV, and the rest were detected by one AV or another (not by all of them). It means AVs don't even have SIGNATURES for well-known viruses! Do you think these AVs will be able to find new viruses using heuristics? Think again.


Borsuc wrote:
and the sandbox gets deleted after anyway (along with any possible virus).

But you copy your archives, .exe files, etc. to your HDD to use/install them don't you? Or else it would be useless to get them in the first place.
So here's the weak link: you copying, then using, files that could be infected (or not) in the "safe" uninfected HDD. Basically, the only solution here would be to ALWAYS run inside a sandbox, deleting it every week or so, and downloading and reinstalling everything again.


Borsuc wrote:
No, but since the virus has to ADD shit on downloaded archives (non-encrypted) and it has to give you the SIZE before download begins, it would have to add junk to these encrypted files which would render invalid signature. Wink

Okay. Facts:
1. Not every archive out there is encrypted;
2. A virus can avoid infecting encrypted archives (easy to detect);
3. And encrypting an archive after you've downloaded it is useless since you may just be encrypting the archive+virus, if the virus has already hooked system API and/or injected itself in the system processes, compression software process, or any other running process.
Post 30 Jul 2009, 19:33
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I don't see your point, sorry.
Are you suggesting that I should never download any application, is that right?

I dunno, whatever the virus is doing, I'm much happier with apps than without, considering my computer is not acting weird, very thin chance of spyware (and even if it did, I haven't lost one single account due to keyloggers or whatever), etc.

By the way, forgot to mention, my Sandbox app driver (Sandboxie) can catch some hook attempts Cool (I said "some" because I'm pretty sure, if we go paranoid, there'll be an exploit).


How did you get FASM anyway? Maybe the site, or your browser, was compromised at the time you downloaded an updated version!!

And this virus, of course, doesn't launch the first few times I launched it either, I mean I do test it in a sandbox. Also doesn't give any viral results in virustotal.

not too hard I think...

Damn. Confused

_________________
Previously known as The_Grey_Beast
Post 30 Jul 2009, 20:13
View user's profile Send private message Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
Like Borsuc said, you guys are paranoid. This virus you guys talk about being possible would have to have some superhuman brain like neural network or something to be so smart and do all of what Azu and ManOfSteel say.

Lets see...
It can download itself and infect you even with noscript and no flash being displayed.
It can modify the download size on a website and modify a hash on the site.
Figure out what format the download is and modify it to add the virus without changing the files size even if the archive is encrypted.
It breaks out of the sandbox.
It can get past all the antivirus'es and firewalls on the computer.
It can avoid detection on virustotal.com
It doesn't do anything suspicious the first couple times it is started.
What else was there? LOL

Seriously, you guys are crazy!
This thread has given me a good laugh while reading over Azu's posts.


Wow Borsuc, that sandboxie program is cool. Thanks for mentioning it.

_________________
----> * <---- My star, won HERE
Post 30 Jul 2009, 20:16
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
@Borsuc

Never download any application? No, not at all. In all these posts, I was not discouraging you from doing anything, nor telling you what to do, I was proving to you (or at least trying) bit by bit that:
1) Nothing is secured since there are so many ways to break/compromise/infect everything (while you were pretending it was so hard to do);
2) You can't rely on tools;
3) You people are really too "confident" in your imaginary safety: you and right after you, windwakr.

And BTW, when you use virustotal everyday, you WILL become paranoid, when (and if) you think about all those false positive, all those potential false negatives, when you'll see half of the AVs in the list find X as a virus and the rest not finding anything and you wondering "is this a virus, is it not a virus, is this a ...".
When you use these services and see your own fasm projects as viruses, what does it tell you about their ability to find real viruses?
Post 31 Jul 2009, 09:57
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
windwakr wrote:
This virus you guys talk about being possible would have to have some superhuman brain like neural network

Not at all. Most of what was described in this thread ALREADY exists and has already been used in the wild. Don't you get it? Or maybe you don't "want" to?

windwakr wrote:
or something to be so smart and do all of what Azu and ManOfSteel say

As I explained and repeated again and again, you and Borsuc are assuming many things that are not even necessary for a successful infection.


Ok, I already explained all this in details, so I'll be quick:
windwakr wrote:
It can download itself and infect you even with noscript and no flash being displayed.

Actually YOU download it, YOU execute it thinking it's clean since you downloaded it from a "trusted" source, and it infects your sandbox or computer. And yes something does NOT have to infect you using JS (or even your browser), but instead using vulnerabilities in your firewall, network HAL drivers, etc. Ever heard of something called "worms"?

windwakr wrote:
It can modify the download size on a website and modify a hash on the site.

Theoretically this is possible. But it is not indispensable for a successful infection, as I already explained. BTW, how many websites give you file size in bytes and MD5 or SHA256 hashes?

windwakr wrote:
Figure out what format the download is and modify it to add the virus without changing the files size even if the archive is encrypted.

Well, I already expla... But you didn't read any of my posts, I know, I know...

windwakr wrote:
It breaks out of the sandbox.

Nah, you break it out since you trust what you downloaded (you checked it out thoroughly with your surgical tools of course!) and you eventually want to use it OUT of the sandbox, and didn't see anything abnormal. But I already...

windwakr wrote:
It can get past all the antivirus'es and firewalls on the computer.

... which are just tools that have been compromised more than once in the past, in a zillion ways, on zillions of computers, as I ...

windwakr wrote:
It can avoid detection on virustotal.com

... which is so confusing that you'll never really know when something is a virus or not, hehe.

windwakr wrote:
It doesn't do anything suspicious the first couple times it is started.

Code:
push  offset SystemTime
callW GetSystemTime

cmp   byte ptr [wDay],5
jne   Exit

[...]
callW CreateFileA
    

This was taken from the source of a worm. As you would've guessed, it ensures infections only happen on every 5th of the month. What if TODAY is the 5th? Well a simple comparison of today's date (using GetSystemTime) and the virus file creation date (using GetFileTime API) is almost as easy.
Are you satisfied, or do you want me to code the entire virus?

Yawn, yawn, yawn ...
Post 31 Jul 2009, 09:58
View user's profile Send private message Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
Whatever, you just keep on being paranoid. I'm fine downloading and running files just how I am. Seriously, you're trying to make a strong argument out of something that doesn't exist. Show me a virus that does all these things you mention. And even if you do show me one that does alot of these things, that still won't make me paranoid like you two. I have more important things to worry about than a super hidden futuristic virus possibly being in any file I download.

_________________
----> * <---- My star, won HERE
Post 31 Jul 2009, 13:37
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
ManOfSteel wrote:
3) You people are really too "confident" in your imaginary safety: you and right after you, windwakr.
That's not a point.

How can you know this is "imaginary" safety if you said so yourself these viruses are so hidden that we can't know about them?

If the virus is not detectable, then it's like invisible flying pink unicorns. So how do you know that our safety is "imaginary"? Do you have extra sensor perceptions and can see the viruses? Razz

You're telling me that I may have a virus without even knowing. That's cool, since you don't KNOW that yourself either (or are you saying that I am stupid and don't follow proper steps? if so then please enlighten me what I should do more than I already do Rolling Eyes).

It's like that funny Ninja argument: if Ninjas (viruses) were so good you wouldn't even be talking about them, because you wouldn't even know about them yourself. I mean completely undetectable and all that...



BTW I don't use VirusTotal everyday, I only use it on apps that I download (and I rarely download an app everyday), as viruses have no way to get in my machine otherwise (because of the sandbox).

BTW I'm pretty sure most AVs would signal the "Check 5th of the Month" thing you just posted...


I'd like to know however, what's your solution to this. You all present the fact "you're all doomed to get viruses" but yet no solution provided.

_________________
Previously known as The_Grey_Beast
Post 31 Jul 2009, 19:28
View user's profile Send private message Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
ManOfSteel wrote:
...you'll find it's quite easy to install and configure Xorg and any of the available window managers/desktop environments.
Yes, I am sure you are correct, however, I found on the contrary that I met with one obstacle after another. I didn't spend a lot of time on the project. After two unsuccessful attempts on a fresh install, (getting as far as "startx" before seeing a black screen, a blank black screen, with frozen mouse and keyboard), I gave up, and switched to the newest version of Solaris. ZERO. Again failure.
I went back to Mandriva, and was so happy to finally see KDE, that I overlooked all the inconvenience associated with the install.

Then I thought, oh, yes, let's do some benchmarking.

Wow. What a shock. I did not realize that SiSoft Sandra 1599 was ONLY available for M$. No can do under Linux/Unix. Holy Cow.

But, then, I thought, well, anyway, I could compare how long it takes to boot WinXP 32 bit, versus Linux 64 bit, on the same computer!!! Yeah!

But, as I was searching, hoping to find some way to execute Sandra 1599, I ran across this nifty site, and these guys are WAAY ahead of me:
http://www.tuxradar.com/node/33

This is a good article. Doesn't talk about viruses, but it does nicely summarize, with DATA, (I love data) the boot up times, as well as the installation times, and even the number of clicks of the mouse required for installation. Believe me, or not, as you choose, I had a table of mouse click quantities for each of four OS: Solaris, BSD, Linux, and Win XP. I also had, in my chart, whether or not one was OBLIGED to produce a password for the "root", i.e. me, and whether or not one was OBLIGED to create another user, i.e. me. At least Mandriva did not insist on a password for me#2, though I still had to furnish one for me#1. XP may have many faults, I observe lots of faults, especially whenever I reinstall win95b, but, at least I don't have to create a bloody user, nor provide any absurd passwords. So, I will live with the viruses, I am kind of a swampy guy anyway. I will simply reformat my hard drive every couple of weeks, and live with the need to make constant backups of everything.

Free BSD--amazing. I was dumbfounded to see myself in the time machine, looking in the mirror, way back to 1979, as I labored to install Unix on a PDP-11. Yeah, I used to know how to use vi and a couple of years later, emacs too. Wow. Those were the days!
http://oceanpark.com/papers/unix.html
Probably the two most incredible, mandatory, responses during the free bsd installation:

a. Which DVD (of the two listed) do I wish to employ for the installation, i.e. the first choice, highlighted, that is, the default choice, that is, the dvd which contains nothing, or the second choice, not highlighted, which contains the dvd from which the installation program commenced.....I had to choose. One or the other. The software would not proceed without my making a selection. If I wanted to change from the empty default, to the drive which actually contained the installation program, I had to first select, with the keyboard, not the mouse, just as in 1979, the second of the two options, and then, in a second operation, indicate willingness to proceed. (with caution)
Holy cow.
Is this software for real? Are these coders, or what? I bet these guys have a bunch of @@ signs in their code. They certainly don't know beans about user interface. Even thirty years ago, we had better programs than this.....

Sure brought back a lot of memories of many arguments directed against me, by scores of "real" programmers, back in the '70's insisting that I was a crypto communist for defending those pinko traitors working at Xerox Parc in hippie California:
http://en.wikipedia.org/wiki/History_of_the_graphical_user_interface
I tried to explain to those midwestern cowboys there was nothing crypto about it....

In those days, if Chairman Mao blinked twice, the USA built another three hydrogen bombs.

"Real programmers use a keyboard."

b. Testing the PS-2 mouse, not to use, mind you, but just to test, to make sure that this avante garde device was recognized by the free bsd software, which apparently still considered mice attached to the RS-232 serial port as revolutionary--i.e. too advanced for conventional work. Anyway, "real programmers use a keyboard".

I could write pages about how miserable this software is, including Solaris, and all of the linux flavors, but it would just end up as another one of my usual, demented rants. I will leave it at this:

Shocked
Post 01 Aug 2009, 07:56
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
Borsuc wrote:
Besides, Azu, I'm not lucky. I'm just basing it on good statistical probabilities. Let me ask you this: do casinos "guarantee" profit? (after all they have the 'house edge')? No, if you are paranoid. Of course they still are in business, guess why? Wink
Because as long as their (winnings-losings)>overhead they are in business.

Your analogy sucks horribly though, since in the security world once you lose it's over, no matter how many times you won. And it gets worse; you might not even know you got screwed until a long while later. Or never, even.


Borsuc wrote:
To end the virus debate, I was thinking that I forgot to tell I also scan the apps with virustotal or other online scanner with many anti-viruses before use.

That's the best I can do.
Any competent VXer can easily bypass all of those static analyzers, especially when the virus gets to already be in a legit program rather then on its own..


Borsuc wrote:
4) infect both my firewalls
Wtf? Obviously the firewall is already allowing the browser to connect out on port 80, all any keylogger, remote administrations tool, botnet client, or all of the above need is a single outbound port allowed.
P.S. and that's without even leaving the sandbox.

Borsuc wrote:

ManOfSteel wrote:
Hum, so ALL the archives that you download are encrypted? How are you able to impose that on every download, file sharing and P2P website/network you visit?
No, but since the virus has to ADD shit on downloaded archives (non-encrypted) and it has to give you the SIZE before download begins, it would have to add junk to these encrypted files which would render invalid signature. Wink
As usual, your whole argument comes down to wishful thinking, hoping that you'll be lucky. Guess what happens if you don't just happen to download an encrypted archive after infection and before downloading an unencrypted one? Wink

Of course this is completely besides the point anyways, since even encrypted archives can be padded without it being feasible to find, which is also besides the point since pretty much any executable can be infected without changing the size of the archive anyways...
Post 02 Aug 2009, 15:23
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.