May 8th, 2007, 07:58 PM
What joo packin? "I'm packing HEAT!"
Originally Posted by zencoder
that was what i was refering to. what does this "sandbox" consist of? a folder? a directory? an image? if i were in my sandbox, i'd eventually wanna play 4-square or kickball.
Originally Posted by nihil
May 8th, 2007, 08:58 PM
Yes, that is the origin of the term. A sandbox was a safe play area for small children.
AVs use a folder to open items in and observe their attempted behaviour. As this is a restricted environment it is comparatively safe.
May 9th, 2007, 12:47 PM
however there have been examples of code that can break out of sandboxes, notably an exploit in java that would give a website arbitrary code access to the entire PC. I can't recall the specifics any more, my memory sucks.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
May 9th, 2007, 01:09 PM
FYI If you only hex something like a virus it will still be picked up by a virus scanner and picked up as the same virus. I have tried this. The only time it would bypass a malware or virus check is if the engine you are running only scans for files with certian crc's or md5's. I do not think there are any engines that rely on checksums like this today- at least I hope not haha.
Edit: Oh even packing an executable usually does not help because scanners have the ability to unpack most common types of packers. However, there are a few that cannot be unpacked - usually ones that are "private" and developed by "underground" groups. However if it is already in memory it is virtually unpacked then executed so a memory scanner would catch them.
Last edited by oofki; May 9th, 2007 at 01:13 PM.
May 9th, 2007, 01:37 PM
Yes, in the old days viruses were written by people who generally had some idea, and were, perversely, quite jealous of their achievements.
Then skiddies started taking pre-existing code and modifying it, a process which generally involved some form of obfuscation, as they never really knew which strings were already detected.
I agree with oofki that these days, the virus is still most likely to be detected if it is merely obfuscated. Depending on how your AV decides to report things it may be called something like "XYZ generic" which indicates that minor modification/obfuscation of the original code has taken place.
As for the custom packing, I believe that some AVs will warn you of files that they cannot unpack or decompress? Just as they will also warn you of files they cannot scan because they are in use.
May 9th, 2007, 05:59 PM
I actually tried to hex a trojan before like subseven just to see if it was caught or not. And it still was picked up as the same subseven trojan. That is because they are virus "patterns" the pattern of the actual program is the same because it is still essentially executing the same commands.
And yes Nihil I think you are right about custom packing. This happens with password protected zip files all the time. It could at least lead you to suspicion.