Jump to content

Protecting Your PC Against Malware


DigiDraught

Recommended Posts

Hello people of Hak5!! I have been researching computer viruses and the human immune system recently and I have built some software that act like a "digital vaccine," training your antimalware software's heuristics engine to better recognize malware. I would love it if you guys would look at it and give me some feedback. You can find my software on GitHub at https://github.com/alpal23/Digital-Draught.

Thanks!

-A

Link to comment
Share on other sites

Okay, looked at the github page. You're distributing virusses. What, specifically, do you expect us to do that would help you in any way?

Link to comment
Share on other sites

I don't understand it either. Basically, he's arguing that this should ping the heuristic of your antivirus, and therefore it should know when the real thing comes along. However, surely they already have signatures for this, and updates to their own heuristic engines. It doesn't make sense, and doesn't smell right.

Feels like some elaborate social engineering attempt to download his modified exe, which is probably a virus itself and he wants to see if it's detected without submitting to virustotal (and therefore to the AV companies)

Edited by mw3demo
Link to comment
Share on other sites

I apologize for not explaining this better. As mw3demo has pointed out, yes the AV companies DO already have signatures for these viruses. However, I simply worked with the code I could find. These files are more of a proof of concept than anything else. Eventually, I plan to find some newer viruses, or write them myself, and then transform those into vaccines as well. These were simply a "practice run" on the most readily available virus code at the moment. So, actually, the thing that would be the most helpful would be if you could look at the C code file and let me know if I missed anything dangerous.

Link to comment
Share on other sites

But what is the actual point? Aren't the heuristics engines built and fixed in place by the AV firms? They don't learn on your machine they just score a number of different indicators and then make decisions based on that score.

By commenting things out and removing sections that are malicious then what you are showing the heuristic engine is a file that doesn't do anything and so legitimately shouldn't be detected, if you really wanted to train something then the way to do it would be to run real malware in a VM and have the AV software then pass the information out to others copies of itself watching from outside the VM but if you are going to go to that effort then why not simply submit the malware to an AV company and have them do a proper analysis of it to generate signatures and heuristics that will detect it?

You are also asking us to trust that you got the "taming" of the virus right and didn't leave anything bad in, as I said before, I wouldn't trust running an exe that I knew had a good chance of being malicious on my machine.

Link to comment
Share on other sites

Computer viruses and computers are NOT like a human immune system in which you can inoculate against with vaccinations of dead viruses. They are math driven, ones and zeros and polymorphic in many ways which for the most part make signature driven detection fairly useless and heuristics many false positives.

You can however mathematically check various samples and data sets of malware to go beyond simple heuristics and in essence stop malware from ever actually being able to run and execute malicious code if you are looking at it differently. One company actually working on this, is Cylance, which has a demo on the site or youtube channel of how it works but is still in development.

OpenDNS is also working on something similar, but at the network level, detecting domains that exhibit behaviors known to do malicious things and to some degree, they are able to track in real time attacks as they happen from botnets. They aren't currently stopping the attacks on a wide scale, but still developing the technology to detect and monitor botnets and such, which will at some point work to stop the majority of attacks across the internet including DoS and DDoS attacks(in theory) by dropping the data or blacklisting the DNS lookups for these domains, for which they can peer into merely via DNS and the types of requests being done.

Link to comment
Share on other sites

Something else to think about when "taming" these viruses is that if you comment out the calls to the bad bits in the source then compile them then any good compiler will work out that the bad code is never referenced and so will optimize it out, the only way to ensure it is in is to compile it as it should be then go through the binary and NOP out the calls.

Link to comment
Share on other sites

Something else to think about when "taming" these viruses is that if you comment out the calls to the bad bits in the source then compile them then any good compiler will work out that the bad code is never referenced and so will optimize it out, the only way to ensure it is in is to compile it as it should be then go through the binary and NOP out the calls.

Having to manually NOP out bad code would be like a baseball player trying to perform heart surgery. I imaging the patient would be dead fairly quikly, and your system, infected soon as you tried to hook the executable to your debugger, not to mention some malware can detect when in a debugger, you're playing with fire.
Link to comment
Share on other sites

Exactly.

You'd also need to get round any self-checksum code that has been added and any other protections.

Basically, don't try this type of thing unless you really know what you are doing.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...