flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > TROJAN - fasmlib-0.8.0

Goto page Previous  1, 2, 3, 4  Next
Author
Thread Post new topic Reply to topic
Ivan2k2



Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk
Ivan2k2
maybe Rustock was written with fasm and fasmlib? Idea
c\c++ + (f)asm
Post 22 Oct 2010, 12:37
View user's profile Send private message ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Rustock is just one of many things that AVs report on these files: http://www.virustotal.com/file-scan/report.html?id=5a06b06eb7530a640298c732f77b1a1305b1362846088add21c63b256dc23f43-1256003064

Come on, it's just another false alarm of which we have seen dozens.
Post 22 Oct 2010, 13:08
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
janequorzar wrote:
Fact : A Virus / Rootkit can destroy computer hardware. If you say it cannot, look it up.

Oh, please! Are you serious? Yes, some malware can overwrite the BIOS flash ROM, but this is not really hardware. I would REALLY like to see some solid proof of malware frying NICs or PSUs and it better not be from snopes.com. Very Happy

On a fun note:
http://answers.yahoo.com/question/index?qid=20080809001001AALJvto wrote:

Q: Can a virus damage hardware like hard disk, CD or DVD drive etc.. ?
A: yes there is a guy in America who designed a virus which turns the system idle process up to like 120 then if u move the mouse the harddrive and cpu can melt and even EXPLODE!!

I hope he was messing with the OP. Laughing

janequorzar wrote:
Fact : A virus / Rootkit can steal information from people that a would be attacker can use in an illegal way such as identity theft. This has even happened to me.

Actually, a spyware does. Computer viruses emulate biological ones and simply replicate by infecting (overwriting or appending) executables (the vector) so they can spread throughout the entire filesystem (the host). A rootkit infects or replaces system tools in order to hide other activities, such as a hacking in progress or the storage/sharing of illegal material.
As for an identity theft happening to you, are you sure you did not share too much personal information with the whole world on Facebook or logged into your e-mail account while someone was shoulder surfing you?

janequorzar wrote:
Fact : A lot of people saying and exposing the fact that they do not use an anti-virus gives opportunity to others to exploit you.

Aside from the script-kiddie creep next door who has been stalking you for the past 6 months (Wink), most malware outbreaks are indiscriminate attacks usually occurring on a regional or worldwide scale. They occasionally target specific machines/networks depending on the data stored on their disks (e.g. marketing plans, CAD files, suppliers lists) or some running software (e.g. industrial control systems).
Of course you could try to e-mail me some malware and hope I get infected but don't even think you could fool me with a "big_boobs.png.exe" or lure me into following a link to "cheapviagra.com".

janequorzar wrote:
Look, again, everyone is speculating.. but find facts to support your claims. Lets get FASMLIB working

It is already working.

janequorzar wrote:
So if its not in the sources then what is it that IS causing it ?

Crappy AV heuristics recognizing malware everywhere and not recognizing it when it is there?

janequorzar wrote:
Is fasm pulling from another DLL no one knows about ?

Does "dynamic linking" ring a bell? Neither fasm nor fasmlib is pulling anything from any DLL. The source is simply assembled and external code comes into play *only* when the program is ran by the OS's executable loader. There is no mysterious DLL.
Post 22 Oct 2010, 13:25
View user's profile Send private message Reply with quote
DarkAlchemist



Joined: 08 Oct 2010
Posts: 108
DarkAlchemist
Well said ManOfSteel.

Bravo, but, alas, it will fall on deaf ears.
Post 22 Oct 2010, 15:19
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Hungry trolls need feeding, too.
Post 22 Oct 2010, 17:09
View user's profile Send private message Visit poster's website Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Even my PE from scratch Hello World gets positives from three AV:s.

Quote:
AntiVir 8.2.4.52 2010.09.16 TR/Crypt.XPACK.Gen
CAT-QuickHeal 11.00 2010.09.16 (Suspicious) - DNAScan
McAfee-GW-Edition 2010.1C 2010.09.16 Heuristic.LooksLike.Win32.Suspicious.J

_________________
This is a block of text that can be added to posts you make.
Post 22 Oct 2010, 18:05
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
mindcooler,

Is your PE small enough? Mine (0.3k IIRC) alerts almost all of them. Wink
Post 22 Oct 2010, 19:10
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Well, mine is almost a k, 1021b.

I don't see why size alone should be suspicious.
Post 22 Oct 2010, 19:36
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
mindcooler,

Then you have to RE AVs more. Wink

Heuristics are the scourge of AV country. They feel confident in their algorithms, yet those algorithms are so fuzzy that single-section PE is suspicious.

Signature analysers can't beat morphing engines, so they stuff more (and more) detected signatures until the whole thing goes awry.

All in all it's just a brick in the wall. Wink
Post 22 Oct 2010, 20:07
View user's profile Send private message Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
Thanks janequorzar for the heads up. I say they don't like FASM because they can't detect every detail, beside it's not a MS thing... MS be paying us ... so who cares about FASM anyway.
Quote:
That makes a lot of sense.. After this thread I am starting to think this way.

I started thinking like this last week, actually for a few years now.

I'm like you janequorzar, I hear you loud and clear. You're not claiming to be an expert. All you are saying is:

"Don't drop it, just pass it on! ... with a few notes we can get it back on track"


Reading this thread kind of made me feel this was all your fault. hee hee
..........................
..........................
PS: People
dd if=/dev/zero of=/dev/win_par bs=1M
and please add conv=notrunc,noerror

dd to backup your finest working Windows than dd to clean your programming disk and Windows partition sometimes... I will not go into details but sh*t happens, bigtime, and you never know until the end. Save your project 3 times (in steps) (as app_111 is main with latest changes... get it) and off-site even for ANY kind of change no matter how small. Reboot and make sure it still W O R K . . .. than test it on another machine.
Post 23 Oct 2010, 09:09
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2915
Location: [RSP+8*5]
bitRAKE
AVs are like strapping on thousands of condoms to avoid STDs (because there are several types). Not only do the condoms break, but the experience is less than pleasurable. Laughing

It's a flawed approach - look at how hard it is for our own bodies to fight cancer. A virus could be created to reconfigure whatever software is present on the machine to act in a malicious manner. Meaning the virus is stored at an operational abstraction layer - not existing in a single searchable place.

How could this be detected? The AV industry stopped at a rough approximation of Natural antibodies. Luckily the human body does a great deal more - otherwise we'd all be dead.

The OS/browser can restrict software, but people want control and that makes the system vulnerable. I prefer to trust myself rather than defer to someone else, but it's nice to be informed about what is happening behind the scenes. So, when I make a mistake I know better where the mistake was made.

[I've been thinking a lot about how to protect transparency in many settings.]
Post 24 Oct 2010, 04:14
View user's profile Send private message Visit poster's website Reply with quote
drobole



Joined: 03 Nov 2010
Posts: 67
Location: Norway
drobole
I'm using a commercial version of Norman at work and I get trojan alerts on a lot of fasm executables, including the examples and fasmlib.
I have tried to compile the source of the offending example (flibcdll.asm) and I don't get any alerts on the resulting executable.
Even though I have no reason to suspect the developers of these executables, I don't know who has access to the server where theses executables reside. Either way it might be an idea to remove the executables from the example download.
Post 04 Nov 2010, 03:21
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Has anyone verified the executables are untampered with? Wasn't this site hacked once? ... or was it just the forum that was messed with?
Post 04 Nov 2010, 05:31
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
TrendMicro HouseCall thought my whole fasm folder was viruses.
Post 04 Nov 2010, 08:56
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
This thread is looking too paranoid for me... Wink

There was false positives for Fresh and Fresh compiled binaries at the past, but after sending several examples to Avira support desk, and when I downloaded the next update, the alarms stopped.

Also, on my work computer, there is a Symantec corporate edition installed. When our IT support team installed it for first time, there was also false positives for all Fresh and Fresh compiled files.
It was fixed by our IT support and now I am working with Fresh on every corporate computer without problems.

Before, it was easy for AV makers - if it is bloated and huge - then it is not virus. If it is compact and efficient - then virus.
Now, when there is a growing list of assembly written applications, to detect real viruses is really harder. Laughing

Regards.
Post 04 Nov 2010, 09:45
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
Now, when there is a growing list of assembly written applications, ...

Is there?
Post 04 Nov 2010, 09:48
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
vid wrote:
Quote:
Now, when there is a growing list of assembly written applications, ...

Is there?
I imagine the ratio is getting smaller but the absolute number will be increasing. One thing is for sure, the list can never get smaller.
Post 04 Nov 2010, 09:51
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
vid wrote:
Quote:
Now, when there is a growing list of assembly written applications, ...

Is there?


Ah, yes, there is.
Of course, not every programmer comes to the forum to post: "I made great program with FASM."
Post 04 Nov 2010, 10:21
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
iic2



Joined: 26 Jun 2008
Posts: 123
iic2
inverses


Quote:
This thread is looking too paranoid for me...


I'll never cash-in. It been a while, and now I understand the C++ that many FASM is crazy about. I plan to do a lot of FASM modules as HOST for C++ code. I hope this is not cheating toooo much? I just want to put a little time in it.

All I need is the link to vid "OPP's article for FASM". I did clean-up week back in July and I have not found them yet. It's buried so deep in my backup. Google turns-up everything other!!!

Google-Please: (ASM, FASM, vid OPP's for FASM)
but no vid?

http://www.google.com/search?hl=en&source=hp&ie=ISO-8859-1&q=ASM%2C+FASM%2C+vid+OPP%27s+for+FASM&btnG=Google+Search&aq=f&aqi=&aql=&oq=&gs_rfai=

What's up with that? I might as well ask here.

Mostly, I just don't like the curly braces. It can't be impossible to replace them for personal use with the help of codeblocks or something. C++ and FASM. I always have wondered about them. Now it's like they on the same team with my FASM as QUARTERBACK, so jumping-ship is out the question. Smile

http://www.codeblocks.org/
Post 06 Nov 2010, 18:40
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
iic2 wrote:
Mostly, I just don't like the curly braces.
Code:
#include <stdio.h>
#define BEGIN {
#define END }

void main()
BEGIN
  printf("42\n");
END    

_________________
Image - carpe noctem
Post 06 Nov 2010, 20:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.