Skorpinok Rover Posted August 18, 2013 Share Posted August 18, 2013 Hi, this one is very funny...its called shitvirus. http://www.youtube.com/watch?v=0D-Ygt-uSzM&feature=youtu.be Quote Link to comment Share on other sites More sharing options...
digip Posted August 18, 2013 Share Posted August 18, 2013 On a more serious note, Anti-virus is pretty much dead. I use a few sites for scanning files, but still most of the time, if its something I am not sure of, either run in an isolated VM or Sandbox the program and remove it when done. Sites you can use to scan files or see what a program changes on an OS when run: http://anubis.iseclab.org/ http://virusscan.jotti.org/en https://www.virustotal.com/en/ http://mwanalysis.org/?site=1&page=submit Tools you can use: (Windows based only, which should all be done in a sandbox or VM) PEiD although finding it may be hard since it seems development and the site are no longer the same as the original tool. UniExtract, for unpacking binaries to pull out the real file for uploading to virus scanners or inspecting installers and other binaries that pass virus scanners, UniExtract is a great tool ResHacker (Resource Hacker) which I think is also no longer developed or maintained, but if you can find a copy, nice for just looking at basic things inside files like comments and sometimes hidden dialog boxes which might be part of a RAT tool and rogue programs. Not a debugger, but can read info that may be useful in inspecting windows files. Sandboxie (although would still use this one in a VM as well, has the potential to allow users to execute and break out of the sandbox if now familiar with the tool, but good for seeing what files a program creates, calls, changes, etc) For hardcore people a debugger in a sandbox or VM could be used, but I'm not the kind of person who understands assembly and low level stuff like that so I like to just use VM's and sandboxes to let malware run and then compare changes afterwards and wipe or revert my sandbox and VM's. Also process monitor attached to a VM while using Wireshark to run malware in a VM and capture traffic of rogue programs to see where they call home to is nice when malware writers often send everything in the clear or call file downloads from plain ftp sites. Won't help if its encrypted traffic or over ssh tunnels but there is plenty of malware out there that doens't even worry about such things like fake antivirus scanners, scareware and ransomware, most often send initial requests for downloads in the clear and even if encrypted, you can see the IP of the sites or servers they call to unless sent over the TOR network or p2p. You can also use regedit and notepad++(or other text comparison tools), export the entire registry as a text file using regedit or just specific trees of the registry, install a program, then export another copy of the registry and do a comparison on the two in Notepad++ to see what the program changed in the reigstry(doesn't help if the program only changed files on disk or say, installed a rootkit, boot virus, etc). This is also one the reasons I like Anubis since it can show you what changes it makes to a system without having to run it on your home network. Quote Link to comment Share on other sites More sharing options...
Skorpinok Rover Posted August 18, 2013 Author Share Posted August 18, 2013 Thanks digip for info, u r right antivirus is dead, i have norton installed on my windows 7, i rarely use windows sometimes only for torrents for movies sometimes, rest i spend all my time with kali linux which i made a direct HDD install along win7, or i spend time with testing new linux live cd distros. testing in a sandbox or isolated vm like you said is best idea. Quote Link to comment Share on other sites More sharing options...
logicalconfusion Posted August 19, 2013 Share Posted August 19, 2013 @digip On a more serious note, Anti-virus is pretty much dead. Great info but I don't think we'll see Norton AV disappear. Most enterprise users rely on utilities such as Norton, Panda, and McAfee, when they're not connected through a VPN thats audited real-time by a network admin. The utilities you listed are good for monitoring and inspecting Windows applications and VMs can be used to beta-test suspicious files. Most torrent apps are loaded with malicious code, so forget trying to debug or distribute to friends. You never know whats really embedded in a virus. I remember the days when it was possible to embed executable code in .doc files to trick AV apps. The AVs apps are developed to detect KNOWN viruses and malicious activity. Its really just another layer of security. What happens if the virus is smart enough to hack itself outside a VM thats inside a VM thats inside another VM...... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.