Results 1 to 10 of 10

Thread: Where all scanners fail

  1. #1

    Where all scanners fail

    Greeting's

    What I'm going to say next is something which is very well known and also I think a BIG NIGHTMARE FOR ALMOST ALL ADMINS,

    I'm talking about custom code's.

    I'm taking example of a custom Trojan/backdoor posted here on antionline not so much time back.
    For all those who remember it was called "GENIE" (thats what the member who posted it called it.
    Anyway I had some free time which I decided to put to some *experimental* use, I decided to get my entire PC scanned online and offline.

    I had overall of 4 viruses (1 trojan and 3 symbian viruses, all in seperate zip files). I have norton antivirus 2005 installed on the system (bloodhound was set to medium [default] for real time scanning and high to manual scanning). I downloaded latest definition from the web site and installed it before the scanning.

    Following are the scanners (anti-viruses) used and their results

    Norton anti-virus 2005 : clean

    Trendmicro's Housecall : found 1 trojan

    Microsofts live : found 3 symbian viruses

    Panda : clean

    So results are very clear, if the virus is in the wild then there is a signature for it(except trendmicro which found the trojan, i'm not counting symbian viruses as they only infect symbian OS) or else there is no signature.

    I really got nightmare's after I read a particular article posted by a member here at antionline about rootkit's. A custom coded virus or riskware is almost impossible to find using anti-virus even with heuristic technology enabled.

    So here is my question how do you protect a system from such infection. Now I know keeping other measure's of security tight is the best way but I want options beyond it.

    I would like options for both home PC and a PC in network environment

    Here is what I though of :

    using a checksum software for all the files on the system right after installing and updating but this is not possible for networks and large organizations.


    PS. : ill also be posting links from symantec's response to the trojan sample's I had submitted.
    I would also like to thank Tiger Shark for helping me in this thread



    Edit

    Symantec Security Response has determined that the sample(s) that you provided
    are infected with a Trojan. We have created RapidRelease
    definitions that will detect this threat. Please follow the instruction at the
    end of this email message to download and install the latest RapidRelease
    definitions.
    Downloading and Installing RapidRelease Definition Instructions:
    1. Open your Web browser. If you are using a dial-up connection, connect to any
    Web site, such as: http://securityresponse.symantec.com/
    2. Click this link to the ftp site:
    ftp://ftp.symantec.com/public/englis...asedefsi32.exe.
    If it does not go to the site (this could take a minute or so if you have a slow
    connection), copy and paste the address into the address bar of your Web browser
    and then press Enter.
    3. When a download dialog box appears, save the file to the Windows desktop.
    4. Double-click the downloaded file and follow the prompts.

    /Edit
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Hi,

    I have a question: did you extract the zip files before running the tests? The reason I ask is because you may not have had compressed file scanning enabled, and therefore the scanners would not have been able to recognise the malware..
    Here is what I though of :

    using a checksum software for all the files on the system right after installing and updating but this is not possible for networks and large organizations.
    Well, there's always the OSS Tripwire available for *nix systems, and there's the (more powerful) commercial Tripwire which runs on Windows as well. As you probably know, it monitors file changes, so if you reviewed it quite often you would catch any malware you'd get. However, Tripwire's more suitable for servers, because on a desktop I think you'll find that quite a lot of files are changed regularly..

    What you could always do is prevent infection in the first place. Having a hardware SPI firewall between your computer and the internet is always a useful addition, as it will stop most of the malware. You've also got to be wary of where you go on the internet, and make sure you don't download any dodgy files/email attachments. Keep your AV up-to-date (although as you posted above they aren't always reliable) and also have a software firewall even if you're behind a hardware one (this can be extremely useful if you're in some sort of corporate network or campus - trust me ). That's about all I can think of really, as well as updating and running other malware removers regularly.

    But you probably know all that already, so I don't have a soution to your problem. I guess at the current stage in computer development we don't have the software/hardware available to do really thorough scans. If you coded your own virus right now, would you really expect an AV scanner to pick it up just after you've compiled it? Imagine how long it would take to scan and review the (disassembled) code of each and every application - by the time it's finished, you'd probably be a year older and none the wiser.

    Cheers,

    -jk

  3. #3
    Greeting's

    Like i said before I have to thank TS for this thread, anyway I had suggested him this same solution and here is his answer.

    Custom code is always the biggest worry because there is no signature based AV or anything that can find it.

    When you are looking for this stuff you need to look elsewhere... But doing that on a big network can be impossible... You just need to layer the defenses and hope that you can spot the activity in a log somewhere.
    When you are looking for this stuff you need to look elsewhere... But doing that on a big network can be impossible... You just need to layer the defenses and hope that you can spot the activity in a log somewhere.


    About the zip file no it was zipped only I did not extract it, and compress file scanning was and is enabled, anyway I have just edited my thread with symantec's response, it took them more then 2 weeks, anyway.

    I have to say the fact that we have to depend on manufacturer for the patches for the OS or other security software and also for signature's is something that is coming into the picture here. (I'm by no means bashing any of the manufacturer, I'm just looking for solutions)

    Let me explain, someone finds a exploit in the OS and he doesn't brag about it, doesn't tell it to anyone and uses it only when he finds the opposite system very *interesting*. Now because you the company the produced the OS didn't get any hint it doesn't produce any patche's. What I just said is something that is true and its where the *31337* crackers come in. Its not one person but now a group of people who will use it and because even you don't know it, you can really protect your self.

    It is also said that WHAT IS FEATURE TO ONE PERSON IS EXPLOIT TO ANOTHER, but this will not hold true in the above case. So i don't know what to think now (at least something that can be considered a solution)...... But I'm thinking .....
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Oh ok, I see what you mean. Well, TS is right - you can't protect yourself until the AV developers release a signature for it, someone else distributes a 'home-made' patch, or you yourself find a solution.

    If the cracker chooses not to release his exploit and decides to use it personally, then its not going to be uncovered until he tries cracking a computer whose admin knows something about log-reading or until someone else discovers it. C'est la vie?

    I don't think we'll ever be safe from this - unless something this this is included in an OS, and even then we won't be 100% safe from those *31337* crackers.

    If someone has a solution I'd be happy to hear it

    Cheers,

    -jk

  5. #5
    Osiris is available for cross-platform system monitoring (Tripwire-like). I have it running in WinXP on the laptop. Interesting little utility.

    http://osiris.shmoo.com/download.html

    The compressed file: I've found that scanning of file archives is sketchy at best with any of the tools. I set compressed file scanning to at least three levels. Remember, the malware is often compressed with various tools and often more than one level. If you then put it in a compressed file ... hmm, I may have to review this more. Four or five levels may need to be the basic setting. That would add some extra time to the process, too.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    There is some useful stuff here:

    http://www.diamondcs.com.au/index.php?page=products

    The free "RegistryProt" is one layer of defence that I always use

  7. #7
    I used to stand by Norton/Symantec in full force. After a liittle bug, convinced the norton software it was either a circus clown or hypocondriac, I lost a bit of faith in it. But I digress, were the sybian bugs you had specificly targeting only cell phones or were they ones that would cross infect to a pc as well? I guess a printer would count to. The only point I have is, did the definition files contain the sig of the virus that you were testing with? Norton does offer a beta software that is specific for scanning symbian devices.

  8. #8
    Greeting's

    Symbian viruses targeted only cell phone's (particularly Series 60).

    As for your second question

    did the definition files contain the sig of the virus that you were testing with
    No, and thats the only reason I've started this thread. Just to let users understand the danger of riskware that is custom coded.

    I know most of the users will know that a riskware will only be detected if there is a signature for it, but when there is not signature for it. You will not even know its there and this is what I'm afraid of.

    Anyway about the beta version that symantec offers is now over and you have to buy a retail version. Anyway I have no problem with Symantec or Microsoft or any other company. But the fact remains How do you protect your self from something you don't know exists
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  9. #9
    That is something very important to be aware of. Now as far as Im concerned that info leaves a serious bad mark against norton, their advisories are misleading. Take SymbOS.Cardtrp.Y,
    nortons advisory
    according to them it was included in the update on February 11. Skipping nasties that it claims it will stop is not something I consider trivial.

  10. #10
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    I take it that it wasn't then?The scenario isn't that great for Symbian presently.With only 20 viruses out for it,maybe 5 of which're potentially very damaging,AV providers aren't very quick to release patches and updates.Most of the crapware I removed from my phone weren't detected anyway..I had to go in and remove it the good old-fashioned way

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •