link virus info needed
Results 1 to 9 of 9

Thread: link virus info needed

  1. #1

    link virus info needed

    Can anyone please explain how virues are created with *.dll files.Also how do we detect or fightback such viruses(without using antivirus software).

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    ? Do you mean like they use functionality of some dll file??
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I am not sure what you mean? a virus could be disguised as a "harmless" .dll file, and coould work in all sorts of ways depending on what the viral code actually was.

    Try http://www.Runtimeware.com

    There is a product called "Sentinel" that monitors .dll and other files for changes that might be malicious.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    123
    thats a fairly broad question, please try and be a little more specific and i may be able to help
    speak your mind becuase those who matter don\'t mind and those who mind don\'t matter

  5. #5
    Banned
    Join Date
    Dec 2003
    Posts
    138
    Why would you like to detect a dll virus without using an AntiVirus software,huh?

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    That one is easy:

    Why would you like to detect a dll virus without using an AntiVirus software,huh?
    Because they are too damn late

    I am assuming that this is "traditional" AV scanning software like Norton & McAfee.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Banned
    Join Date
    Dec 2003
    Posts
    138
    Watcha mean they're late?

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    By "late" I mean the following:

    1. Traditional AV looks for patterns in code....or it looks for potential generic patterns (heuristics)
    2. It may also look for simple text identifiers like "dead cow" or whatever.

    What they will not detect are completely new malwares, that do not have a match in their "signatutre", "pattern" or "dat" files. This is why they let stuff through.

    Compounding this is the speed at which they release updates, and the speed at which users apply these updates. A virus could have 10 days on the run, so to speak....that is far too long

    I am sure that we all appreciate this "latency" problem?

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Member tsunami's Avatar
    Join Date
    Jul 2003
    Posts
    30
    Ok a few points to raise

    There are viruses that propagate them selves using .dll files. But there are some important things to note about these.
    They do NOT arrive on the target machine as a dll file, they are dropped by something else.
    A dll file containing virus code can be run very simply by adding an entry in HKLM/Software/Microsoft/Windows/CurrentVersion/Run
    with a value of (eg)

    rundll32 c:/Winnt/System32/hdueknat.dll, -boottime

    The important thing to notice here is that rundll32 is a valid windows utility, but the dll file that it is going to run has been dropped into a directory that most users wont look at, let alone know what should be in there. Also the dll file has a very obscure name, in most cases completely random, which makes it hard to place as a file for a specific program.
    This can get even more complicated when the dll file in question doesnt contain any viral code in the normal storage way, but has an adition 'alternative data stream' or ADS. This is referenced by using a ':' rather than a '/' when it comes to stating the file name.
    Adware and spyware use the technique of running dll files at start up a lot more than viruses do however.

    There are a handful of viruses that work in this way
    http://www.sophos.com/virusinfo/anal...coreflooc.html <dll file virus with ADS>
    http://www.sophos.com/virusinfo/anal...32dumarua.html <ADS virus>


    Nihil is absolutely right when he mentioned the subject of being 'late'. It is imposible for an AV company to be pre-emptive or proactive against virsues. They can in essense only be reactive about viruses. The one exception to this is heuristic scanning, which in all honesty, to begin with, looked like a good idea. But in practice this technique of scanning creates a lot of false/positives, and even a number of false/negatives.
    The best way to stay virus free is to implement a firewall, be it hardware or software, either on the gateway, or on the host machine. The keep up with all security patches, whether these are related to windows systems, or unix/linux, or mac, etc. Dont open attachments on emails that u are not expecting (it still makes me groan in anguish when a customer rings us and says they have this virus, and they blatently opened an unsolicitated file). The last line of defence should be your AV software. If it is kept up to date, then u have a better the good chance of stopping anything from actualy getting into the core of the machine. But there will always be exceptions, as viruses change.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides