Detection within Installation files

A

Art

Well the saddening thing is the declaration that the authors of whats on
offer from the site have given their concent for the site to wrap their
hard work with adware and trojans ... I feel confident that those
authors have not concented to this form of action from those involved.
Good luck with contacting the site i did try via the link provided but
as of yet have received no response, even more annoying after their pp
states
Click to expand...

I sent a email to the site owner last night. We shall see.
I will drop the subject here as it may pull off topic.
Click to expand...

Not off topic at all. Here's a paste of the response I received from
Kaspersky Labs concerning the possibility of false positives on the
EXE files on the main page of the subject web site:

***********************************************
Hello. We have rechecked file detected as
Trojan-Downloader.Win32.Small.bke. It is actually downloader. It
downloads another adware without warning. We decided not to move it to
extended bases. Thank you for your help. Two other files detected as
adwares are actually adwares.


-----------------
Regards, Alexey Malanov
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: (e-mail address removed)
http://www.kaspersky.com http://www.viruslist.com

************************************************
So while the EXE files do contain a downloader Trojan it doesn't
sound like a nasty dude :) In fact, Alexey seems to be implying
that there was/is actually some consternation there at Kaspersky
as to whether or not to include the downloader Trojan in their
"regular" def files or just include it in their "extra" defs. I guess
their reasoning .... and where they draw the line ... is at the
point where if some code downloads something or other, even
as "harmless" as just more Adware, they will tend to classify it
as a Trojan and include it in their regular defs.

This has been a interesting example for me, and I'm really glad
you pointed it out. Some people may view alerting on such files
as "much ado about nothing" since they do nothing really harmful
to the user or his PC. Apparently, not even "spyware" is involved.
Yet, personally, I like scanners that supply me with information,
or at least a clue, as to what to expect before I install some
application.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc
 
T

tpwuk

Art said:
I sent a email to the site owner last night. We shall see.




Not off topic at all. Here's a paste of the response I received from
Kaspersky Labs concerning the possibility of false positives on the
EXE files on the main page of the subject web site:

***********************************************
Hello. We have rechecked file detected as
Trojan-Downloader.Win32.Small.bke. It is actually downloader. It
downloads another adware without warning. We decided not to move it to
extended bases. Thank you for your help. Two other files detected as
adwares are actually adwares.


-----------------
Regards, Alexey Malanov
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: (e-mail address removed)
http://www.kaspersky.com http://www.viruslist.com

************************************************
So while the EXE files do contain a downloader Trojan it doesn't
sound like a nasty dude :) In fact, Alexey seems to be implying
that there was/is actually some consternation there at Kaspersky
as to whether or not to include the downloader Trojan in their
"regular" def files or just include it in their "extra" defs. I guess
their reasoning .... and where they draw the line ... is at the
point where if some code downloads something or other, even
as "harmless" as just more Adware, they will tend to classify it
as a Trojan and include it in their regular defs.

This has been a interesting example for me, and I'm really glad
you pointed it out. Some people may view alerting on such files
as "much ado about nothing" since they do nothing really harmful
to the user or his PC. Apparently, not even "spyware" is involved.
Yet, personally, I like scanners that supply me with information,
or at least a clue, as to what to expect before I install some
application.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc
Click to expand...

Yes its been a very informative thread this one. Scary in places, the
idea that a wrapper, in this case installation routine could be used to
inject whatever the developer/attacker decides without any reliable
intervention is a bleak prospect indeed. It doesnt take much imagination
as to what kind of damage could be afflicted upon the uninitiated.

TpwUK
 
D

David H. Lipman

From: "tpwuk" <[email protected]>

|
| Yes its been a very informative thread this one. Scary in places, the
| idea that a wrapper, in this case installation routine could be used to
| inject whatever the developer/attacker decides without any reliable
| intervention is a bleak prospect indeed. It doesnt take much imagination
| as to what kind of damage could be afflicted upon the uninitiated.
|
| TpwUK

The statement --
"...installation routine could be used to inject whatever the developer/attacker decides
without any reliable intervention..."
Is not true. As the installer extracts the files with with the archives they will be
scanned by the "On Access" scanner as they are written to the hard disk and prior to being
instedd into the OS. So as long as there are signatures for the given infectors, there is
intervention.

It just would be *better* to know if an installation package has embedded infectors prior to
one actually running it.
 
T

tpwuk

David said:
From: "tpwuk" <[email protected]>

|
| Yes its been a very informative thread this one. Scary in places, the
| idea that a wrapper, in this case installation routine could be used to
| inject whatever the developer/attacker decides without any reliable
| intervention is a bleak prospect indeed. It doesnt take much imagination
| as to what kind of damage could be afflicted upon the uninitiated.
|
| TpwUK

The statement --
"...installation routine could be used to inject whatever the developer/attacker decides
without any reliable intervention..."
Is not true. As the installer extracts the files with with the archives they will be
scanned by the "On Access" scanner as they are written to the hard disk and prior to being
instedd into the OS. So as long as there are signatures for the given infectors, there is
intervention.
Click to expand...

Sorry David, now that i have read that back it does sound wrong ... my
apologies... :¬)
It just would be *better* to know if an installation package has embedded infectors prior to
one actually running it.
Click to expand...

now thats the statement i should have used
 
A

Art

Is this better or equivalent to a continually updated free Escan?
Click to expand...

The current free eScan doesn't offer a clean/delete capability. KASFX
uses a older version which did. Also, KASFX includes a batch file ftp
updater which runs automatically when the SFX is extracted. So it
can be used repeatedly without having to d/l the large eScan files
whenever you want to use it. For repeated use, the two active files
are mwavscan.com and kav-up.bat to update.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc
 
D

David H. Lipman

|
| Sorry David, now that i have read that back it does sound wrong ... my
| apologies... :¬)
|| now thats the statement i should have used

Don't worry. Now that I read back what I replied with I am embarrassed by my spelling and
other mistakes ;-)
 
D

David H. Lipman

From: "Bill Clark" <[email protected]>

| Art wrote:
||
| Is this better or equivalent to a continually updated free Escan?
|
| --
| -bc-

Do you mean the online Browser dependent scanner ?

:)
 
B

Bill Clark

Art said:
The current free eScan doesn't offer a clean/delete capability. KASFX
uses a older version which did. Also, KASFX includes a batch file ftp
updater which runs automatically when the SFX is extracted. So it
can be used repeatedly without having to d/l the large eScan files
whenever you want to use it. For repeated use, the two active files
are mwavscan.com and kav-up.bat to update.
Click to expand...

Perhaps I'm confused (windows is not my first language <g>) or being
unclear... A while back I followed your directions which gave me a version
of Escan with mwavscan and an update bat in c\kapersky... Is this the same
thing as KASFX?

TIA!
 
A

Art

Perhaps I'm confused (windows is not my first language <g>) or being
unclear... A while back I followed your directions which gave me a version
of Escan with mwavscan and an update bat in c\kapersky... Is this the same
thing as KASFX?
Click to expand...

Ok, I misinterpreted your question. I thought you were wondering what
the difference is between KASFX and the free _currrent_ eScan
available from MicroWorld.

So far as I recall about my earlier directions, they do amount to the
same thing as KASFX ... except maybe for the name of the updating
batch file. You may have update.bat whereas it's kav-up.bat ... but
they're the same.

Does that answer your question?

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc
 
J

John S.

David H. Lipman said:
The statement --
"...installation routine could be used to inject whatever the developer/attacker decides
without any reliable intervention..."
Is not true. As the installer extracts the files with with the archives they will be
scanned by the "On Access" scanner as they are written to the hard disk and prior to being
instedd into the OS. So as long as there are signatures for the given infectors, there is
intervention.
Click to expand...

As a non-expert and "average" sort of user, this notion leaves me
with a problem.

"Standard" advice normally displayed on screen when installing
software is to shut down any other applications which are
running, prior to going ahead with the installation.

I have read that anti-virus software can interfere with the
installation process, and cause a corrupted installation - so
should be shut down before doing an installation.

Looks like a Catch 22 situation?

In any event, someone like Art (who doesn't normally have
background anti-virus scanner running)? would maybe not pick up
the presence of malware during the installation process, but
would have to hope that it would be detected afterwards (if the
malware hasn't disabled his anti-virus software during
installation)?

All the more powerful reason why AV software should be designed
to detect within archives and installation files.

cheers,

John S
 
D

David H. Lipman

From: "John S." <[email protected]>


| As a non-expert and "average" sort of user, this notion leaves me
| with a problem.
|
| "Standard" advice normally displayed on screen when installing
| software is to shut down any other applications which are
| running, prior to going ahead with the installation.
|
| I have read that anti-virus software can interfere with the
| installation process, and cause a corrupted installation - so
| should be shut down before doing an installation.
|
| Looks like a Catch 22 situation?
|
| In any event, someone like Art (who doesn't normally have
| background anti-virus scanner running)? would maybe not pick up
| the presence of malware during the installation process, but
| would have to hope that it would be detected afterwards (if the
| malware hasn't disabled his anti-virus software during
| installation)?
|
| All the more powerful reason why AV software should be designed
| to detect within archives and installation files.
|
| cheers,
|
| John S

John:

That is a fair and valid point !

The question is WHERE or from WHOM the installation package comes from. Is it a trustworthy
site or corporation or is it a freebie download ?

If I download WinXP SP2 administrative EXE install file I would disable the AV scanner prior
to its installation. However, If I download a simple program or if I install a program from
CD such as Office 2000, I will not turn off the AV scanner.

There will have to be a judgment call made if one is to really disable the AV scanner. (8%
of the time I would say ignore the warning to disable an AV scanner. That 2% where you do
you should TRUST the source. This thread is concerned with installation packages from
un-trusted sources.
 
A

Art

As a non-expert and "average" sort of user, this notion leaves me
with a problem.

"Standard" advice normally displayed on screen when installing
software is to shut down any other applications which are
running, prior to going ahead with the installation.

I have read that anti-virus software can interfere with the
installation process, and cause a corrupted installation - so
should be shut down before doing an installation.
Click to expand...

This sometimes happens. Here's a example of Microsoft recommending
the disabling of antivirus during a installation:

http://support.microsoft.com/default.aspx?scid=kb;[LN];Q329388

I Googled up other such specific examples ... one connected with Adobe
.... ,etc.
Looks like a Catch 22 situation?

In any event, someone like Art (who doesn't normally have
background anti-virus scanner running)? would maybe not pick up
the presence of malware during the installation process, but
would have to hope that it would be detected afterwards (if the
malware hasn't disabled his anti-virus software during
installation)?

All the more powerful reason why AV software should be designed
to detect within archives and installation files.
Click to expand...

Exactly. It _is_ very important, and it's unfortunate that most av
vendors either don't have the capability or have a very mediocre
to very poor capability.

Art

http://home.epix.net/~artnpeg
Free antivirus:
http://www.ik-cs.com/programs/virtools/KASFX.EXE
http://www.claymania.com/KASFX.EXE
http://tinyurl.com/azzkc
 
Top