Malwarebytes site no longer accepts donations - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Correct!
 




--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

It's viral if it has live infection routines and infects something
else...Whats really important is the infectees; will they also spread
when activated?

 



--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Re: Malwarebytes site no longer accepts donations

Dustin wrote:
Quoted text here. Click to load it
Okay, so something like Mebromi arrives as a trojan, is a dropper, and
infects files as a startup method (not really viral), infects the BIOS
and the MBR and uses the BIOS routine as a guardian for the MBR
infection (re-infects it if found to be uninfected). It is not a virus,
but only because the MBR routine and infected files don't act as a
guardian for the BIOS in a similar manner (lacking recursion). That is,
only the installation routine flashes the BIOS and that function is not
copied in the infections - so no virus.

LoJack OTOH does have this two way guardianship (a sort of recursion)
but the code it needs to accomplish that task is a network resource not
a local one - so again no virus (I suspect it already is a virus in a
mathematic sense).

I started out just wondering if the only thing making them not act, or
should I say behave, like a typical virus is that we are not in the
habit of transporting MBR and/or BIOS code in our pockets when visiting
friends with computers and installing them on their computers. Their
action is viral but the overall behavior is not, but only through the
absence of sneakernet.

The downside of the *use* of the technology behind LoJack aside, we come
damned close to the "good virus" - an example of viral technology being
used for good *and* the first real BIOS infecting virus too. Keep in
mind that to me a virus is neutral (just a program) and this seems to
open the door to a "good rootkit" using "good virus" technology for
persistence against physical access.


Re: Malwarebytes site no longer accepts donations


Quoted text here. Click to load it

Correct!
 
Quoted text here. Click to load it

Correct again. It's not a virus, it's a dropper with installation
routine. The BIOS code ensures a drop if it's missing, removed and/or
damaged in some fashion. The dropped file doesn't natively modify other
executables.
 
Quoted text here. Click to load it

Well, the modified mbr code makes no effort to transfer a copy of
itself onto other hard disks, or removable media. IE: no intentional
replication is occuring with the modified code. The mbr is modified
once by the dropper. If it did, and those modified mbrs when executed
resulted in the new host's drives now also containing it, then it would
be a virus. an mbr infector, specifically.

The BIOS code is doing the same thing in the case as the above mbr
code. Neither of them are making any effort to leave the original host
and seek out new ones. Neither of them are viral. In fact, it wishes to
remain on the host it's been installed too. [g].
 
Quoted text here. Click to load it

We don't have a virus with lojack. No replication is going on. Software
is being installed on two levels with a persistent piece of code
running. However, that code is only interested in keeping that specific
host with it. It doesn't wish to leave, and if you do transport the
dropped exe and try to run it on a non lojacked system; it will not
run. It will not install lojack, it will not flash the bios. It will
not replicate the functionality to the new host. So, no virus.

What we have is a trojan with some stealth. We've always known BIOS
code was executable; so this was a long time coming.

--
I am a sinner
Hold my prayers upto the sun
I am a sinner
Heaven's closed for what I've done.

Site Timeline