Malwarebytes site no longer accepts donations

[Dustin]

Yes. However it can't "disinfect" a file that has code injected
into it and it won't do anything boot sector infectors like "NYB".
It can only delete an infected file. Therefore it only may detect
virus droppers. Files specifically intended to start a viral
infection.

100% Correct.

It's also unable to deal with malware which edits configuration files.
In fairness to MBAM and malwarebytes team, No antimalware app seems to
reconfigure the modified files for a specific web browser that is very
popular.

By unable to deal with, for those really slow, I mean it's unable to
reverse changes made to the configuration; it is able to deal with the
malware executables and it's registry entries fine.

 

[FromTheRafters]

Yes, in initial form only. Once it's infected something, likely hood of
detection is near zero. Hence, Malwarebytes recommends antivirus to be
run along side her.

I understood that to be the case even though I'm not an insider. It does
list some viruses in its known malware list. I suspect the reason is
because it doesn't address a true virus' polymorphic spreading mode,
that is that it can't recognize any infections that are not simply
straightforward added code.

Just guesses though.

On this subject, isn't an initial (zeroth iteration) really a trojan? I
mean, isn't a program that drops a program via infection (injector,
dropper, or whatever) really a trojan and not a virus even if it has a
payload that *is* a virus? Hell, such a zeroth iteration could even be a
differing filetype from what the viral payload itself infects. If so,
what you say above regarding MBAM not handling further iterations means
that they really don't reliably detect viruses even though Virut for
instance is listed.

 

[Dustin]

I understood that to be the case even though I'm not an insider. It
does list some viruses in its known malware list. I suspect the
reason is because it doesn't address a true virus' polymorphic
spreading mode, that is that it can't recognize any infections that
are not simply straightforward added code.

It's not designed for viruses. It can catch some which are very
specific, but that was never the primary design focus.

Just guesses though.

Good ones.

On this subject, isn't an initial (zeroth iteration) really a
trojan? I mean, isn't a program that drops a program via infection
(injector, dropper, or whatever) really a trojan and not a virus
even if it has a payload that *is* a virus? Hell, such a zeroth
iteration could even be a differing filetype from what the viral
payload itself infects. If so, what you say above regarding MBAM not
handling further iterations means that they really don't reliably
detect viruses even though Virut for instance is listed.

It depends. For example, my viruses shipped in a dropper like mode, but
would really infect whatever was in the current directory only. It
didn't "drop" another executable.

A dropper OTH would simply be a trojan. As it's not actually infecting
anything, but delivering it's cargo and perhaps executing it then, or
prepping the system to execute it at a later time.. Say, when you
reboot.

The only thing which seperates the two is replication. If it doesn't
replicate, it's not a virus. If it does, it's a virus. If it can
duplicate a complete copy of itself or a poly version which is self
contained (doesn't require a pre existing exe) then it could be a worm.
If it can do this, AND seek out executables to infect, it's a worm AND
a virus. My later work in the Vx scene met the criteria for this.

 

[FromTheRafters]

It's not designed for viruses. It can catch some which are very
specific, but that was never the primary design focus.


Good ones.


It depends. For example, my viruses shipped in a dropper like mode, but
would really infect whatever was in the current directory only. It
didn't "drop" another executable.

A dropper OTH would simply be a trojan. As it's not actually infecting
anything, but delivering it's cargo and perhaps executing it then, or
prepping the system to execute it at a later time.. Say, when you
reboot.

The only thing which seperates the two is replication. If it doesn't
replicate, it's not a virus. If it does, it's a virus. If it can
duplicate a complete copy of itself or a poly version which is self
contained (doesn't require a pre existing exe) then it could be a worm.
If it can do this, AND seek out executables to infect, it's a worm AND
a virus. My later work in the Vx scene met the criteria for this.

Suppose you had a com file that sought out and infected PE files with a
virus. From that point onward the virus would only be found in PE files
(no point in looking for PE viruses in com files). Wouldn't that first
(zeroth) iteration be a trojan because *it* doesn't replicate *itself*?
Wouldn't all subsequent iterations be the kind that MBAM isn't looking
for? I guess it doesn't matter that much why they detect Virut, I can
see how MBAM may be able to detect such as Virut by its worminess. )

BTW, I've been giving some thought as to how close LoJack and Mebromi
come to being viruses. We don't generally go sneakernetting around with
BIOS or MBR/harddrive software in our pockets, but they do come very
close to virusness. )

 

[David H. Lipman]

I understood that to be the case even though I'm not an insider. It does list some
viruses in its known malware list. I suspect the reason is because it doesn't address a
true virus' polymorphic spreading mode, that is that it can't recognize any infections
that are not simply straightforward added code.

Just guesses though.

On this subject, isn't an initial (zeroth iteration) really a trojan? I mean, isn't a
program that drops a program via infection (injector, dropper, or whatever) really a
trojan and not a virus even if it has a payload that *is* a virus? Hell, such a zeroth
iteration could even be a differing filetype from what the viral payload itself infects.
If so, what you say above regarding MBAM not handling further iterations means that they
really don't reliably detect viruses even though Virut for instance is listed.

Intereting observation that would really get blurred when discussing a Zapchest.

 

[David H. Lipman]

Suppose you had a com file that sought out and infected PE files with a virus. From that
point onward the virus would only be found in PE files (no point in looking for PE
viruses in com files). Wouldn't that first (zeroth) iteration be a trojan because *it*
doesn't replicate *itself*?
Wouldn't all subsequent iterations be the kind that MBAM isn't looking for? I guess it
doesn't matter that much why they detect Virut, I can see how MBAM may be able to detect
such as Virut by its worminess. )

BTW, I've been giving some thought as to how close LoJack and Mebromi come to being
viruses. We don't generally go sneakernetting around with BIOS or MBR/harddrive software
in our pockets, but they do come very close to virusness. )

Is it a true com file that lives within a 64K segement or is it really a .EXE renamed .COM
?

What about those dual role executables that can run under Windows or run under DOS ?

 

[FromTheRafters]

Is it a true com file that lives within a 64K segement or is it really a .EXE renamed .COM
?

I had envisioned it as a true com file, like those created under DOS'
"Debug" program. Essentially an executable image in a file. Most other
'executable' files are actually data to be translated into an executable
image by the loader program.

My point was only that the manipulations to modify a PE executable need
not come from an executing PE executable module. In fact, I believe that
someone could write an ELF trojan that infects PE files with a virus
when it finds them. The trojan would be an ELF trojan but the virus
would be a PE virus.

What about those dual role executables that can run under Windows or run under DOS ?

I suppose that if it were one of those it would be considered a virus
only if it showed evidence of having been infected rather than just
crafted. I assume all further iterations would come from infected files.

As I recall, most AV testing methodologies used only infected files
(with parents and children) and threw away germs or seeds, so you never
really expected them to find incipient viruses in zeroth iteration
(trojan?) files - only in second or greater generations.

 

[FromTheRafters]

Intereting observation that would really get blurred when discussing a Zapchest.

It indeed gets kinda blurry when many benign files are used in concert,
maliciously. Also when encountering the likes of batman186 which IIRC
infected com and bat alternatively.

Related question - is a dropper only a dropper if it drops a file to the
filesystem, or can it still be considered a dropper if it infects a
preexisting program?

 

[David H. Lipman]

It indeed gets kinda blurry when many benign files are used in concert, maliciously.
Also when encountering the likes of batman186 which IIRC infected com and bat
alternatively.

Related question - is a dropper only a dropper if it drops a file to the filesystem, or
can it still be considered a dropper if it infects a preexisting program?

If it infects it either trojanizes or spreads a virus. If it drops a file into the OS and
sets a "run" location to it then it is merely a dropper. If it does both infect and drop
a file then it goes into a non categorized area as a multi-faceted infector.

When I brought up the Zapchest is is because it usually involves a type multi-faceted
infector in that it usually is an IRC Trojan where the trojan is infected weith a file
infecting virus.

 

[FromTheRafters]

If it infects it either trojanizes or spreads a virus. If it drops a file into the OS and
sets a "run" location to it then it is merely a dropper. If it does both infect and drop
a file then it goes into a non categorized area as a multi-faceted infector.
Thanks.

When I brought up the Zapchest is is because it usually involves a type multi-faceted
infector in that it usually is an IRC Trojan where the trojan is infected weith a file
infecting virus.

Okay, so if a program infected with a non-replicator it is "trojanized"
and if with a replicator it is a virus. If no infection, then it is a
dropper - possibly even 'installed' and may be a worm or not depending
upon other factors.

BTW, I couldn't find Zapchest, only Zapchast. I investigated that one
time when I got a FP for it. Many of the files involved were benign and
only being maliciously used, hence my comment.

 

[David H. Lipman]

Okay, so if a program infected with a non-replicator it is "trojanized" and if with a
replicator it is a virus. If no infection, then it is a dropper - possibly even
'installed' and may be a worm or not depending upon other factors.

BTW, I couldn't find Zapchest, only Zapchast. I investigated that one time when I got a
FP for it. Many of the files involved were benign and only being maliciously used, hence
my comment.

Mia culpa in spelling.

The "Zapchast" I have seen have been double whammys. The majority were self extracting
archive files (SFX) that run a script to install an IRC trojan (EXE) is infected with a
virus (can't remember which) and accompanying the EXE are several interpreted files for
the IRC trojan. The EXE file was usually 1.5~2MB and with all the files in the SFX, the
SFX usually was 256~500KB.

 

[Dustin]

It indeed gets kinda blurry when many benign files are used in
concert, maliciously. Also when encountering the likes of batman186
which IIRC infected com and bat alternatively.

Related question - is a dropper only a dropper if it drops a file to
the filesystem, or can it still be considered a dropper if it
infects a preexisting program?

It's viral if it has live infection routines and infects something
else...Whats really important is the infectees; will they also spread
when activated?

 

[Dustin]

Okay, so if a program infected with a non-replicator it is
"trojanized" and if with a replicator it is a virus. If no
infection, then it is a dropper - possibly even 'installed' and may
be a worm or not depending upon other factors.

Correct!

 

[FromTheRafters]

It's viral if it has live infection routines and infects something
else...Whats really important is the infectees; will they also spread
when activated?

Okay, so something like Mebromi arrives as a trojan, is a dropper, and
infects files as a startup method (not really viral), infects the BIOS
and the MBR and uses the BIOS routine as a guardian for the MBR
infection (re-infects it if found to be uninfected). It is not a virus,
but only because the MBR routine and infected files don't act as a
guardian for the BIOS in a similar manner (lacking recursion). That is,
only the installation routine flashes the BIOS and that function is not
copied in the infections - so no virus.

LoJack OTOH does have this two way guardianship (a sort of recursion)
but the code it needs to accomplish that task is a network resource not
a local one - so again no virus (I suspect it already is a virus in a
mathematic sense).

I started out just wondering if the only thing making them not act, or
should I say behave, like a typical virus is that we are not in the
habit of transporting MBR and/or BIOS code in our pockets when visiting
friends with computers and installing them on their computers. Their
action is viral but the overall behavior is not, but only through the
absence of sneakernet.

The downside of the *use* of the technology behind LoJack aside, we come
damned close to the "good virus" - an example of viral technology being
used for good *and* the first real BIOS infecting virus too. Keep in
mind that to me a virus is neutral (just a program) and this seems to
open the door to a "good rootkit" using "good virus" technology for
persistence against physical access.

 

[Dustin]

Okay, so something like Mebromi arrives as a trojan, is a dropper,
and infects files as a startup method (not really viral), infects
the BIOS and the MBR and uses the BIOS routine as a guardian for the
MBR infection (re-infects it if found to be uninfected). It is not a
virus, but only because the MBR routine and infected files don't act
as a guardian for the BIOS in a similar manner (lacking recursion).
That is, only the installation routine flashes the BIOS and that
function is not copied in the infections - so no virus.
Correct!

LoJack OTOH does have this two way guardianship (a sort of
recursion) but the code it needs to accomplish that task is a
network resource not a local one - so again no virus (I suspect it
already is a virus in a mathematic sense).

Correct again. It's not a virus, it's a dropper with installation
routine. The BIOS code ensures a drop if it's missing, removed and/or
damaged in some fashion. The dropped file doesn't natively modify other
executables.

I started out just wondering if the only thing making them not act,
or should I say behave, like a typical virus is that we are not in
the habit of transporting MBR and/or BIOS code in our pockets when
visiting friends with computers and installing them on their
computers. Their action is viral but the overall behavior is not,
but only through the absence of sneakernet.

Well, the modified mbr code makes no effort to transfer a copy of
itself onto other hard disks, or removable media. IE: no intentional
replication is occuring with the modified code. The mbr is modified
once by the dropper. If it did, and those modified mbrs when executed
resulted in the new host's drives now also containing it, then it would
be a virus. an mbr infector, specifically.

The BIOS code is doing the same thing in the case as the above mbr
code. Neither of them are making any effort to leave the original host
and seek out new ones. Neither of them are viral. In fact, it wishes to
remain on the host it's been installed too. [g].

The downside of the *use* of the technology behind LoJack aside, we
come damned close to the "good virus" - an example of viral
technology being used for good *and* the first real BIOS infecting
virus too. Keep in mind that to me a virus is neutral (just a
program) and this seems to open the door to a "good rootkit" using
"good virus" technology for persistence against physical access.

We don't have a virus with lojack. No replication is going on. Software
is being installed on two levels with a persistent piece of code
running. However, that code is only interested in keeping that specific
host with it. It doesn't wish to leave, and if you do transport the
dropped exe and try to run it on a non lojacked system; it will not
run. It will not install lojack, it will not flash the bios. It will
not replicate the functionality to the new host. So, no virus.

What we have is a trojan with some stealth. We've always known BIOS
code was executable; so this was a long time coming.

 

[RayLopez99]

The only thing which seperates the two is replication. If it doesn't
replicate, it's not a virus. If it does, it's a virus. If it can
duplicate a complete copy of itself or a poly version which is self
contained (doesn't require a pre existing exe) then it could be a worm.
If it can do this, AND seek out executables to infect, it's a worm AND
a virus. My later work in the Vx scene met the criteria for this.

Did you get paid for your work or was it just for fun?

Nowadays they pay up to $10k or was it $100k for every zero-day
exploit.

I find it curious why the law does not seem to make any distinction
between White Hat hackers and Black Hat hackers. Whether or not you
get paid (or made money) off virus writing is irrelevant to the law--
you are still guilty. It might make a difference in the sentence
passed however.

RL

 

[Dustin]

Did you get paid for your work or was it just for fun?
What?

between White Hat hackers and Black Hat hackers. Whether or not you
get paid (or made money) off virus writing is irrelevant to the
law-- you are still guilty. It might make a difference in the
sentence passed however.

guilty of?

 

[RayLopez99]

What?

Your authoring of viruses back in the days. Did you get paid?

guilty of?

If you got paid, it's usually a factor in favor of a greater sentence
as opposed to a slap on the wrist. Of course it depends on the judge,
and if he's an old codger who is afraid of technology and hackers, it
might not make much difference either way.

RL

 

[Dustin]

Your authoring of viruses back in the days. Did you get paid?

Can I have some of what your smoking? I just smoked my last
bowl...Seems yours is better.

If you got paid, it's usually a factor in favor of a greater
sentence as opposed to a slap on the wrist. Of course it depends on
the judge, and if he's an old codger who is afraid of technology and
hackers, it might not make much difference either way.

Er.. You still haven't told me what I'd be guilty of. Computer viruses
are just programs, mannn. Why don't you just ask me what your wanting
to know instead of implying?

 

[RayLopez99]

Er.. You still haven't told me what I'd be guilty of. Computer viruses
are just programs, mannn. Why don't you just ask me what your wanting
to know instead of implying?

You are guilty of aiding and abetting hackers. By writing and
releasing source code that can be used to create a virus. At least
that's what the government would allege (I don't agree with their
position but that's the law as they see it). The US government has
taken the position (extreme) that even releasing a white paper at a
hackers conference is a crime. I think about 10 or 15 years ago they
tried to prosecute somebody on this ground. It had a chilling effect
on research.

Fess up Dustin--you're going to jail.

RL