DigiDraught Posted April 3, 2015 Share Posted April 3, 2015 Hello people of Hak5!! I have been researching computer viruses and the human immune system recently and I have built some software that act like a "digital vaccine," training your antimalware software's heuristics engine to better recognize malware. I would love it if you guys would look at it and give me some feedback. You can find my software on GitHub at https://github.com/alpal23/Digital-Draught. Thanks! -A Quote Link to comment Share on other sites More sharing options...
digininja Posted April 3, 2015 Share Posted April 3, 2015 A couple of exe's and no real description of what anything does, you'd have to do a lot more for me to even consider running any of it. Quote Link to comment Share on other sites More sharing options...
DigiDraught Posted April 9, 2015 Author Share Posted April 9, 2015 Thanks for the feedback! I'll probably start on the next version in a few days, so check back soon. -A Quote Link to comment Share on other sites More sharing options...
DigiDraught Posted April 9, 2015 Author Share Posted April 9, 2015 Allright! v0.1.1 is now live! I've added the file descriptions to README.md. I've also fixed some code in the two MiniPig files. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 9, 2015 Share Posted April 9, 2015 Okay, looked at the github page. You're distributing virusses. What, specifically, do you expect us to do that would help you in any way? Quote Link to comment Share on other sites More sharing options...
digininja Posted April 9, 2015 Share Posted April 9, 2015 I'm still trying to see the point to the project. It contains a number of slightly modified existing viruses, so what? What are they supposed to be for? Quote Link to comment Share on other sites More sharing options...
mw3demo Posted April 9, 2015 Share Posted April 9, 2015 (edited) I don't understand it either. Basically, he's arguing that this should ping the heuristic of your antivirus, and therefore it should know when the real thing comes along. However, surely they already have signatures for this, and updates to their own heuristic engines. It doesn't make sense, and doesn't smell right. Feels like some elaborate social engineering attempt to download his modified exe, which is probably a virus itself and he wants to see if it's detected without submitting to virustotal (and therefore to the AV companies) Edited April 9, 2015 by mw3demo Quote Link to comment Share on other sites More sharing options...
DigiDraught Posted April 9, 2015 Author Share Posted April 9, 2015 I apologize for not explaining this better. As mw3demo has pointed out, yes the AV companies DO already have signatures for these viruses. However, I simply worked with the code I could find. These files are more of a proof of concept than anything else. Eventually, I plan to find some newer viruses, or write them myself, and then transform those into vaccines as well. These were simply a "practice run" on the most readily available virus code at the moment. So, actually, the thing that would be the most helpful would be if you could look at the C code file and let me know if I missed anything dangerous. Quote Link to comment Share on other sites More sharing options...
DigiDraught Posted April 9, 2015 Author Share Posted April 9, 2015 Or if I commented out anything I could have left intact. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 9, 2015 Share Posted April 9, 2015 But what is the actual point? Aren't the heuristics engines built and fixed in place by the AV firms? They don't learn on your machine they just score a number of different indicators and then make decisions based on that score. By commenting things out and removing sections that are malicious then what you are showing the heuristic engine is a file that doesn't do anything and so legitimately shouldn't be detected, if you really wanted to train something then the way to do it would be to run real malware in a VM and have the AV software then pass the information out to others copies of itself watching from outside the VM but if you are going to go to that effort then why not simply submit the malware to an AV company and have them do a proper analysis of it to generate signatures and heuristics that will detect it? You are also asking us to trust that you got the "taming" of the virus right and didn't leave anything bad in, as I said before, I wouldn't trust running an exe that I knew had a good chance of being malicious on my machine. Quote Link to comment Share on other sites More sharing options...
DigiDraught Posted April 9, 2015 Author Share Posted April 9, 2015 OK. I assumed that the heuristics engine leerns from your machine. It appears I was mistalen. Thanks! Quote Link to comment Share on other sites More sharing options...
digip Posted April 10, 2015 Share Posted April 10, 2015 Computer viruses and computers are NOT like a human immune system in which you can inoculate against with vaccinations of dead viruses. They are math driven, ones and zeros and polymorphic in many ways which for the most part make signature driven detection fairly useless and heuristics many false positives. You can however mathematically check various samples and data sets of malware to go beyond simple heuristics and in essence stop malware from ever actually being able to run and execute malicious code if you are looking at it differently. One company actually working on this, is Cylance, which has a demo on the site or youtube channel of how it works but is still in development. OpenDNS is also working on something similar, but at the network level, detecting domains that exhibit behaviors known to do malicious things and to some degree, they are able to track in real time attacks as they happen from botnets. They aren't currently stopping the attacks on a wide scale, but still developing the technology to detect and monitor botnets and such, which will at some point work to stop the majority of attacks across the internet including DoS and DDoS attacks(in theory) by dropping the data or blacklisting the DNS lookups for these domains, for which they can peer into merely via DNS and the types of requests being done. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 11, 2015 Share Posted April 11, 2015 Something else to think about when "taming" these viruses is that if you comment out the calls to the bad bits in the source then compile them then any good compiler will work out that the bad code is never referenced and so will optimize it out, the only way to ensure it is in is to compile it as it should be then go through the binary and NOP out the calls. Quote Link to comment Share on other sites More sharing options...
digip Posted April 11, 2015 Share Posted April 11, 2015 Something else to think about when "taming" these viruses is that if you comment out the calls to the bad bits in the source then compile them then any good compiler will work out that the bad code is never referenced and so will optimize it out, the only way to ensure it is in is to compile it as it should be then go through the binary and NOP out the calls.Having to manually NOP out bad code would be like a baseball player trying to perform heart surgery. I imaging the patient would be dead fairly quikly, and your system, infected soon as you tried to hook the executable to your debugger, not to mention some malware can detect when in a debugger, you're playing with fire. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 12, 2015 Share Posted April 12, 2015 Exactly. You'd also need to get round any self-checksum code that has been added and any other protections. Basically, don't try this type of thing unless you really know what you are doing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.