Hexed Virus/Malware/Spyware/etc - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Hexed Virus/Malware/Spyware/etc

  1. #11
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by zencoder
    This concept is also called "Packing", as in, packing the executable down into a smaller size, thus changing the signature
    What joo packin? "I'm packing HEAT!"

    Quote Originally Posted by nihil
    Finally there are antivirus products that use an internal "sandbox" to open and examine files in. This is actually a rather old concept.
    that was what i was refering to. what does this "sandbox" consist of? a folder? a directory? an image? if i were in my sandbox, i'd eventually wanna play 4-square or kickball.

  2. #12
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Yes, that is the origin of the term. A sandbox was a safe play area for small children.

    AVs use a folder to open items in and observe their attempted behaviour. As this is a restricted environment it is comparatively safe.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #13
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    however there have been examples of code that can break out of sandboxes, notably an exploit in java that would give a website arbitrary code access to the entire PC. I can't recall the specifics any more, my memory sucks.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  4. #14
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    FYI If you only hex something like a virus it will still be picked up by a virus scanner and picked up as the same virus. I have tried this. The only time it would bypass a malware or virus check is if the engine you are running only scans for files with certian crc's or md5's. I do not think there are any engines that rely on checksums like this today- at least I hope not haha.

    Edit: Oh even packing an executable usually does not help because scanners have the ability to unpack most common types of packers. However, there are a few that cannot be unpacked - usually ones that are "private" and developed by "underground" groups. However if it is already in memory it is virtually unpacked then executed so a memory scanner would catch them.
    Last edited by oofki; May 9th, 2007 at 12:13 PM.

  5. #15
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Yes, in the old days viruses were written by people who generally had some idea, and were, perversely, quite jealous of their achievements.

    Then skiddies started taking pre-existing code and modifying it, a process which generally involved some form of obfuscation, as they never really knew which strings were already detected.

    I agree with oofki that these days, the virus is still most likely to be detected if it is merely obfuscated. Depending on how your AV decides to report things it may be called something like "XYZ generic" which indicates that minor modification/obfuscation of the original code has taken place.

    As for the custom packing, I believe that some AVs will warn you of files that they cannot unpack or decompress? Just as they will also warn you of files they cannot scan because they are in use.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #16
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    I actually tried to hex a trojan before like subseven just to see if it was caught or not. And it still was picked up as the same subseven trojan. That is because they are virus "patterns" the pattern of the actual program is the same because it is still essentially executing the same commands.

    And yes Nihil I think you are right about custom packing. This happens with password protected zip files all the time. It could at least lead you to suspicion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides