Malwarebytes site no longer accepts donations - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Yes.  However it can't "disinfect" a file that has code injected into it and it
won't do
anything boot sector infectors like "NYB".  It can only delete an infected file.
Therefore it only may detect virus droppers.  Files specifically intended to
start a viral
infection.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

100% Correct.

It's also unable to deal with malware which edits configuration files.
In fairness to MBAM and malwarebytes team, No antimalware app seems to
reconfigure the modified files for a specific web browser that is very
popular.

By unable to deal with, for those really slow, I mean it's unable to
reverse changes made to the configuration; it is able to deal with the
malware executables and it's registry entries fine.

 

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Yes, in initial form only. Once it's infected something, likely hood of
detection is near zero. Hence, Malwarebytes recommends antivirus to be
run along side her.
 



--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations

Dustin wrote:
Quoted text here. Click to load it

I understood that to be the case even though I'm not an insider. It does
list some viruses in its known malware list. I suspect the reason is
because it doesn't address a true virus' polymorphic spreading mode,
that is that it can't recognize any infections that are not simply
straightforward added code.

Just guesses though.

On this subject, isn't an initial (zeroth iteration) really a trojan? I
mean, isn't a program that drops a program via infection (injector,
dropper, or whatever) really a trojan and not a virus even if it has a
payload that *is* a virus? Hell, such a zeroth iteration could even be a
differing filetype from what the viral payload itself infects. If so,
what you say above regarding MBAM not handling further iterations means
that they really don't reliably detect viruses even though Virut for
instance is listed.


Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

It's not designed for viruses. It can catch some which are very
specific, but that was never the primary design focus.
 
Quoted text here. Click to load it

Good ones. :)
 
Quoted text here. Click to load it
 
It depends. For example, my viruses shipped in a dropper like mode, but
would really infect whatever was in the current directory only. It
didn't "drop" another executable.

A dropper OTH would simply be a trojan. As it's not actually infecting
anything, but delivering it's cargo and perhaps executing it then, or
prepping the system to execute it at a later time.. Say, when you
reboot.

The only thing which seperates the two is replication. If it doesn't
replicate, it's not a virus. If it does, it's a virus. If it can
duplicate a complete copy of itself or a poly version which is self
contained (doesn't require a pre existing exe) then it could be a worm.
If it can do this, AND seek out executables to infect, it's a worm AND
a virus. My later work in the Vx scene met the criteria for this.
 



--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations

Dustin wrote:
Quoted text here. Click to load it

Suppose you had a com file that sought out and infected PE files with a
virus. From that point onward the virus would only be found in PE files
(no point in looking for PE viruses in com files). Wouldn't that first
(zeroth) iteration be a trojan because *it* doesn't replicate *itself*?
Wouldn't all subsequent iterations be the kind that MBAM isn't looking
for? I guess it doesn't matter that much why they detect Virut, I can
see how MBAM may be able to detect such as Virut by its worminess. :o)

BTW, I've been giving some thought as to how close LoJack and Mebromi
come to being viruses. We don't generally go sneakernetting around with
BIOS or MBR/harddrive software in our pockets, but they do come very
close to virusness. :o)


Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Is it a true com file that lives within a 64K segement or is it really a .EXE
renamed .COM
?

What about those dual role executables that can run under Windows or run under
DOS ?


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Malwarebytes site no longer accepts donations

"David H. Lipman" wrote:

Quoted text here. Click to load it

Yes.


No.

Additionally, a com file is raw code (16 bit only). No headers,
sections or relocations like for an exe (PE or otherwise).

Quoted text here. Click to load it

MS-DOS executables will run under Windows, at least in 32-bit
versions, under ntvdm. Most Win PE exes have a 16-bit stub which will
only run in DOS and prints "this program cannot be run in DOS mode",
or similar. So every PE is a dual-role exe and that DOS stub could
be expanded.



Re: Malwarebytes site no longer accepts donations

David H. Lipman wrote:
Quoted text here. Click to load it

I had envisioned it as a true com file, like those created under DOS'
"Debug" program. Essentially an executable image in a file. Most other
'executable' files are actually data to be translated into an executable
image by the loader program.

My point was only that the manipulations to modify a PE executable need
not come from an executing PE executable module. In fact, I believe that
someone could write an ELF trojan that infects PE files with a virus
when it finds them. The trojan would be an ELF trojan but the virus
would be a PE virus.

Quoted text here. Click to load it

I suppose that if it were one of those it would be considered a virus
only if it showed evidence of having been infected rather than just
crafted. I assume all further iterations would come from infected files.

As I recall, most AV testing methodologies used only infected files
(with parents and children) and threw away germs or seeds, so you never
really expected them to find incipient viruses in zeroth iteration
(trojan?) files - only in second or greater generations.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Did you get paid for your work or was it just for fun?

Nowadays they pay up to $10k or was it $100k for every zero-day
exploit.

I find it curious why the law does not seem to make any distinction
between White Hat hackers and Black Hat hackers.  Whether or not you
get paid (or made money) off virus writing is irrelevant to the law--
you are still guilty.  It might make a difference in the sentence
passed however.

RL

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

What?
 
Quoted text here. Click to load it

guilty of?


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Your authoring of viruses back in the days.  Did you get paid?

Quoted text here. Click to load it

If you got paid, it's usually a factor in favor of a greater sentence
as opposed to a slap on the wrist.  Of course it depends on the judge,
and if he's an old codger who is afraid of technology and hackers, it
might not make much difference either way.

RL

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Can I have some of what your smoking? I just smoked my last
bowl...Seems yours is better.
 
Quoted text here. Click to load it

Er.. You still haven't told me what I'd be guilty of. Computer viruses
are just programs, mannn. Why don't you just ask me what your wanting
to know instead of implying?


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

You are guilty of aiding and abetting hackers.  By writing and
releasing source code that can be used to create a virus.  At least
that's what the government would allege (I don't agree with their
position but that's the law as they see it). The US government has
taken the position (extreme) that even releasing a white paper at a
hackers conference is a crime.  I think about 10 or 15 years ago they
tried to prosecute somebody on this ground.  It had a chilling effect
on research.

Fess up Dustin--you're going to jail.

RL

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

can be used to create? Er, I think you're very confused here. I
released functional binaries as well as source code. There was no can
be made into, if you followed the instructions, you had the result. No
can to it.

I've never heard of "aiding and abetting" hackers. I'd be aiding and
abetting myself then... Which really makes no sense to me.

I don't know why you think the government would do anything about
something I wrote 10+ years ago, but whether you like it or not, they
can't touch me. Na na. Statute of limitations. Unf!

Quoted text here. Click to load it

Well, luckily for me, I did these things prior to the trade center and
patriot act coming into play. They can't do anything to me for the
things I did then. That's right, there is a statute of limitations on
intentionally releasing destructive code. Which, incidently, I never
did. LOL. Virus writing is not and never was illegal. The legality
arrises out of what you did with the virus. If you took it to toyota
and loaded it on their network, that would be illegal. Writing it,
isn't.

That would be like charging me for selling you a gun because you
decided to shoot up a school with it. As long as I was within the law
during the sale, you are going to have to find another scapegoat. Say,
the person really resonsible,for a change.
 
Quoted text here. Click to load it

I think you've been drinking the koolaid mr remailer has been peddling
too much. I'm not on probation for virus writing. I've never been on
probation for virus writing. I didn't snitch on anybody, and I didn't
make any deals with uncle sam. Fact is, I got away, the statute of
limitations is way up, so I'm free and clear. That's what happened,
thats how it is. Period.


--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Intereting observation that would really get blurred when discussing a Zapchest.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Malwarebytes site no longer accepts donations

David H. Lipman wrote:
Quoted text here. Click to load it
It indeed gets kinda blurry when many benign files are used in concert,
maliciously. Also when encountering the likes of batman186 which IIRC
infected com and bat alternatively.

Related question - is a dropper only a dropper if it drops a file to the
filesystem, or can it still be considered a dropper if it infects a
preexisting program?

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

If it infects it either trojanizes or spreads a virus.  If it drops a file into
the OS and
sets a "run" location to it then it is merely a dropper.  If it does both infect
and drop
a file then it goes into a  non categorized area as a multi-faceted infector.

When I brought up the Zapchest is is because it usually involves a type
multi-faceted
infector in that it usually is an IRC Trojan where the trojan is infected weith
a file
infecting virus.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Malwarebytes site no longer accepts donations

David H. Lipman wrote:
Quoted text here. Click to load it

Thanks.

Okay, so if a program infected with a non-replicator it is "trojanized"
and if with a replicator it is a virus. If no infection, then it is a
dropper - possibly even 'installed' and may be a worm or not depending
upon other factors.

BTW, I couldn't find Zapchest, only Zapchast. I investigated that one
time when I got a FP for it. Many of the files involved were benign and
only being maliciously used, hence my comment.


Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Mia culpa in spelling.

The "Zapchast" I have seen have been double whammys.  The majority were self
extracting
archive files (SFX) that run a script to install an IRC trojan (EXE) is infected
with a
virus (can't remember which) and accompanying the EXE are several interpreted
files for
the IRC trojan.  The EXE file was usually 1.5~2MB and with all the files in the
SFX, the
SFX usually was 256~500KB.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline