Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Learning to program from a security point of view

  1. #1
    Member
    Join Date
    Apr 2003
    Posts
    95

    Learning to program from a security point of view

    Ok I want to learn how to program in some more usefull languages (i have learnt to use a basic language called "darkbasic" great for making 3d games...not for much else) And have been google'in allot for languages like C++ etc. But then i thought i woulod post here to see if anyone who knew of any guides to programming (not to bothered about the language i want to end up knowing a wide range) that specifically concentraits on both programming secure programs and programming security programs as this area most intrests me or do people feel i would be best learning a language well AND THEN looking into more secure practices and programming security software. Thanks in advance for any advice

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    You **MOST** definately want to learn a language first. Then you can start looking into programming from a security perspective. Keep it in the back of your mind as you learn the language and watch out for little things that malicious users could exploit. You can't learn the more advanced aspects of a language without first learning the basics. Choose your language, start reading up and get the basics down pat. I highly recommend you look into python. If you search you'll find a good chunk of tutorials I've written as well as a port scanner. I'm currently working on turning the port scanner into a tutorial to give users a better understand of how sockets work.

    Peace,
    HT

  3. #3
    Member
    Join Date
    Apr 2003
    Posts
    95
    Thanks for the reply Yes i wasnt suggesting that i learn advanced stuff before the basics i just thought that there might be guides that teach the basics with security in mind, and yes Python was one of the languages i was googl'in ....I think ill look about for some tuts..also is yor port scanner open source? i wouldnt mind looking once ive got my head around the language. Thanks

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    Python is an interpreted language, rather than a compiled language, so by that means it has to be open source. All you have to do is open the file in any text editor and you can see the code. As far as my scanner (Pyscan ... name subject to change)... feel free to look at it, break it, copy it, do as ya please.. just give credit where credit is due. You can find it on AO under I believe Scanner & IDS discussions, there's also a thread under Code Review Regarding it.

    Peace,
    HT

  5. #5
    Member
    Join Date
    Apr 2003
    Posts
    95
    oops thats another bad youve picked me up on. I looked at a few tuts an completely missunderstood the whole interpreted thing.

  6. #6
    Banned
    Join Date
    Dec 2003
    Posts
    138
    i want to ask a similar question..which language is the best(and the easiest) when you plan to program security software..for example,removal tools for individual viruses?

  7. #7
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    i want to ask a similar question..which language is the best(and the easiest) when you plan to program security software..for example,removal tools for individual viruses?

    You use an Antivirus . LOL j/k.

    Hmm...C++ would be able to, so would many other languages depending on yoru skillset and the time you want to spent programming it. You could make a simple program which would search for keywords or traits of the virus and then "quarantine" the file that is infected. Mainly Assembly Language is used...for its complex functions.


    Here's a little website that might help all of you getting into programming:

    http://www.thefreecountry.com/compilers/



    As for the types of viruses, here's a little bit of info on ther prefixes:

    http://securityresponse.symantec.com...vnameinfo.html

    PREFIXES A2KM
    Access macro viruses that are native to Access 2000.

    A97M
    Access macro viruses that are native to Access 97.

    AM
    Access macro viruses that are native to Access 95.

    AOL
    Trojan horses that are specific to America Online environments and usually steal AOL password information

    BAT
    Batch file threats.

    Backdoor
    Threats may allow unauthorized users to access your computer across the Internet.

    Bloodhound
    Bloodhound is the name of the Norton AntiVirus heuristic scanning technology for detecting new and unknown viruses

    DDos
    Distributed Denial of Service threats. Distributed Denial of Service involves using zombie computers in an attempt to flood an Internet site with traffic.

    DoS
    Denial of Service threats. Not to be confused with DOS viruses, which are named without prefixes.

    HLLC
    High Level Language Companion viruses. These are usually DOS viruses that create an additional file (the companion) to spread.

    HLLO
    High Level Language Overwriting viruses. These are usually DOS viruses that overwrite host files with viral code.

    HLLP
    High Level Language Parasitic viruses. These are usually DOS viruses that attach themselves to host files.

    HLLW
    A worm that is compiled using a High Level Language. (NOTE: This modifier is not always a prefix, it is only a prefix in the case of a DOS High Level Language Worm. If the Worm is a Win32 file, the proper name would be W32.HLLW.)

    HTML
    Threats that target HTML files.

    IRC
    Threats that target IRC applications.

    JS
    Threats that are written using the JavaScript programming language.

    Java
    Viruses that are written using the Java programming language.

    Linux
    Threats that target the Linux operating system.

    O2KM
    Office 2000 macro viruses. May infect across different types of Office 2000 documents.

    O97M
    Office 97 macro viruses. May infect across different types of Office 97 documents.

    OM
    Office macro viruses. May infect across different types of Office documents.

    PWSTEAL
    Trojan horses that steal passwords.

    Palm
    Threats that are designed to run specifically on the Palm OS.

    Trojan/Troj
    These files are not viruses, but Trojan horses. Trojan horses are files that masquerade as helpful programs, but are actually malicious code. Trojan horses do not replicate.

    UNIX
    Threats that run under any UNIX-based operating system.

    VBS
    Viruses that are written using the Visual Basic Script programming language.

    W2KM
    Word 2000 macro viruses. These are native to Word 2000 and replicate under Word 2000 only.

    W32
    32-bit Windows viruses that can infect under all 32-bit Windows platforms.

    W95
    Windows 95 viruses that infect files under the Windows 95 operating system. Windows 95 viruses often work in Windows 98 also.

    W97M
    Word 97 macro viruses. These are native to Word 97 and replicate under Word 97 only.

    W98
    Windows 98 threats that infect files under the Windows 98 operating system. Will only work in Windows 98.

    WM
    Word macro viruses that replicate under Word 6.0 and Word 95 (Word 7.0). They may also replicate under Word 97 (Word 8.0), but are not native to Word 97.

    WNT
    32-bit Windows viruses that can infect under the Windows NT operating system.

    Win
    Windows 3.x viruses that infect files under the Windows 3.x operating system.

    X2KM
    Excel macro viruses that are native to Excel 2000.

    X97M
    Excel macro viruses that are native to Excel 97. These viruses may replicate under Excel 5.0 and Excel 95 as well.

    XF
    Excel formula viruses are viruses using old Excel 4.0 embedded sheets within newer Excel documents.

    XM
    Excel macro viruses that are native to Excel 5.0 and Excel 95. These viruses may replicate in Excel 97 as well.



    SUFFIXES @m
    Signifies the virus or worm is a mailer. An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.

    @mm
    Signifies the virus or worm is a mass-mailer. An example is Melissa, which sends messages to every email address in your mailbox.

    dam
    Indicates a detection for files that have been corrupted by a threat, or that may contain inactive remnants of a threat, causing the files to no longer be able to execute properly or produce reliable results.

    dr
    Indicates that the detected file is a dropper for another threat.

    Family
    Indicates a generic detection for threats that belong to a particular threat family based on viral characteristics.

    Gen
    Indicates a generic detection for threats that belong to a particular threat type based on viral characteristics.

    Int
    Indicates an intended threat. Threats that are intended to spread, but don't due to bugs or errors in the viral code.

    Worm
    Indicates a worm, not a virus. Worms make copies of themselves that they send across a network or using email, or another transport mechanism

    You will most likely need to take a look here: http://msdn.microsoft.com/
    If you are going to try to develop an antivirus.

    Knowing a bit about winsockets is very useful: http://www.hal-pc.org/~johnnie2/winsock.html

    But you should first learn what exactly an Antivirus does and how it works:


    How does Antivirus Work?

    Today's antivirus software typically adopt one or more of the following methods to screen emails and files moving in ( and out ) of a computer;

    File Scanning - usually after antivirus installation and download of latest virus definitions ( file/files containing latest virus info that that the antivirus software uses to detect viruses ). This scans certain or all files on the computer to detect virus infection. All antivirus allows user scheduled background scanning.

    Email and Attachment Scanning - since email is the primary virus delivery mechanism, this is the most important function of the antivirus software. All antivirus today scans both email content and attachments for viruses - some like Norton picks up your emails from your email server before passing it to your computer for scanning ( downside : if scanning server is bogged down, you will encounter delays ) and others like Bullguard intercepts your emails and attachments in your computer before passing it to your email program.

    Download Scanning - scans files that are being downloaded from a website/FTP. Ex. during a "File Download" - Save this file to disk operation or using a download accelerator.

    Heuristic Scanning - used to detect viruslike code in emails and files based on intelligent guessing of typical viruslike code patterns and behaviour. Test labs use 'zoo viruses -fabricated viruses' to test performance of antivirus software in detecting new viruses.

    Active Code Scanning - new browsers allows active codes like Java and ActiveX in webpages. But these codes can also be of malicious nature and do severe damage to the computer and go on to infect other computers. Links in emails can invoke active codes in a webpage and do the same damage.
    And

    How does an antivirus work?

    It’s your computer’s guardian angel: it cares for its health, protects it from viruses and repairs the infection-induced damages. Today, you can’t do without one. But how does it actually detect and eliminate viruses? Why should you update it? Can it repair all the infected files? Here’s a close-up look at this critical tool.



    Several protection devices
    Whether in an ad hoc or discreet way, an antivirus uses several ways to protect you. One of the most familiar ways is the complete scanning of the computer. Whether initiated by the user or performed on a regular basis, scanning allows you to analyze all the files one at a time and to check them in order to see if they contain a virus. It’s mostly efficient when a contamination is suspected. You may opt to analyze the entirety or part of your files or even focus exclusively on files that are stored on a floppy disk.
    During the scanning, the antivirus searches for traces of a virus with the help of its signatures database. Just like every executable program, viruses are made of codes. Every time a virus is discovered, antivirus publishers record codes called “signatures” and incorporate them in their software database. The signature is comprised of a series of characters that are incomprehensible to the users, and legible by the computer only.

    Example: X5O!P%@AP[4\PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    If you copy these lines in a text file and save it as an executable with a .com extension, your antivirus will detect it as a virus, because these codes are stored in its database.

    Real-time monitoring
    The scanner allows you to have a snapshot of your system at any given moment. In order to provide real-time and constant protection, antivirus precautions resort to another procedure: background monitoring. Also known as “monitor”, this antivirus feature is constantly active, without your even knowing it. It monitors all of the computer’s incoming and outgoing files, analyzes each new document that is stored on a floppy disk, downloaded or sent via e-mail. This constant monitoring allows the antivirus to keep any suspect file at bay. Just like the scanner, the monitor also uses the signatures database. If not updated, the antivirus won’t be able to detect the latest threats. But a lot of users fail to perform an update or don’t perform it as often as they should. A late update can actually prove fatal: three level 3 and 4 viruses appeared within one week at the end of August. Here’s another source of concern: the irruption of polymorphic viruses, whose signature changes on each infection. This type of virus is hard to detect with signatures.
    In order to resolve these problems, publishers have developed the heuristic research system. Working independently from signatures, this system uses artificial intelligence technology to detect viruses. It recognizes patterns that are deemed abnormal for a healthy application.
    Example: when you launch a normal program, it starts looking for the options command line. But viruses behave differently; they look for executables in order to multiply, try to write directly on the disk or try to decipher their initially encrypted code (in the case of polymorphic viruses) etc. If the antivirus detects an application that contains several anomalies (one that contains a hard drive formatting code, for instance) it will trigger a virus alert. An antivirus can then block viruses that are still unknown or not stored in its signature database. The false alert risk inherent to this method (e.g. the antivirus may mistake a formatting tool for a virus) is minimized thanks to its simultaneous use with other tools, such as the integrity controller. This tool regularly checks certain software constants (such as the size, the creation date, etc). When this data is modified, it means that a virus is present.

    Express repair
    Once it detects an infected virus, an antivirus will first quarantine it in order to prevent it from multiplying. It then tries to clean it up by erasing the virus code and by repairing the damaged parts. This procedure is possible if the virus has spread by adding its code to the application’s code. But as some viruses infect the entirety of the files, it is then impossible to recover them. The antivirus will quarantine this file and suggest that the user delete it.
    And Lets not forget:

    Traditional antivirus software uses "exact detection" to identify viruses. The software keeps a large database of "fingerprints" of known viruses.


    Each fingerprint is a set of characteristic bytes from a known virus. When these bytes are found in a program, the antivirus software notifies the user about the virus.


    There are also newer technologies, called "heuristics," that look for viruslike behavior in programs. This technology has been known to detect completely new viruses.

    Have fun



  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    any language can be used to remove a virus. you could even do that with a bat file including removing the reg entries although you might have to include a process killer. and i dont think your question deserved a "LoL". why do you think av companys make removal tools and post removal instruction? its an admirable endevor ali1.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    You'll probably need to put in the code something that will remove registry keys.

  10. #10
    Junior Member
    Join Date
    Apr 2004
    Posts
    13

    Post programming languages

    I agree with Cybr1d and Tedob1...you'll probably need to code something that will check and remove (if necessary) the affected registry keys. Usually viruses add their own files to the windows registry, usually enabling them to boot up along with windows. Word of caution though...modifying the registry is a pretty serious thing if you haven't mastered it yet. Modifying it with an Anti Viral program that isnt perfectly ironed out could prove to be disastrous. Either way though, many languages (such as C++ lang) are apt for creating AV programs. Like Tedob1 said, actually, almost any language would work if you're gonna create an AV program...just do it well and study every aspect of the language. You're bound to be a good programmer as long as you keep experimenting. Good luck!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •