Piggyback remover?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hey folks,

I've been searching far and wide for something to remove a piggyback
from a program, but I'm having no luck. Does anyone here have something
I can use for it?

The problem is, that AV software these days are all able to recognise
piggyback software like trojan droppers or downloaders, but, unlike the
way it used to be, NONE of the AV suites out there are able to remove
wrappers or loaders that drop this kind of stuff on your system. Usually
they are very simple programs just slapped onto the original program, to
run a spyware/dropper first and then the actual program. All the AV
suites do these days (very cheap IMHO) is to just tell people to delete
the program. well, there are plenty of cases where you can't do that.

I can't even find a simple binary splitter to extract the separate
executable files from the piggybacked program (I'm all talking Windows
PE executables here, by the way). If I had the time and wasn't so rusty
with my programming I would even consider writing one myself. It can't
be that hard.. search for .EXE headers in the file and save the separate
binaries to files...

But, before I invent the wheel twice, does anyone know if there is
software out there to remove this kind of thing from a program, or even
something to just split up .EXE files into the "real" program and the
malware?

--
Signed: Moonchild
(remove nospam. when replying!)

"When one door closes another door opens;
 but we so often look so long and so regretfully upon the closed door,
 that we do not see the ones which open for us."
                          ,     ,
                          |\---/|
                         /  , , |
                    __.-'|  / \ /
           __ ___.-'        ._O|
        .-'  '        :      _/
       / ,    .        .     |
      :  ;    :        :   _/
      |  |   .'     __:   /
      |  :   /'----'| \  |
      \  |\  |      | /| |
       '.'| /       || \ |
       | /|.'       '.l \_
  snd  || ||             '-'
       '-''-'

Re: Piggyback remover?

Quoted text here. Click to load it

Exactly.  So how does any program know exactly where the code for the
wrapper ends and the code for the original program begin without
knowing the exact copy of the original program's code?  There are way
too many programs and versions of each to be tracking the exact
codebase for them all.  What if the malware "slapped" itself after the
80-byte exe header instead of including its own?  Is the code splitter
supposed to keep the exe header that is somehow magically discovered
after whatever byte length for the prepended maleware code or is the
exe header at the start of the file to be retained and the one after
the magically discovered byte length to be removed?  Just because some
AV programs attempt to disinfect a file doesn't mean they guess how to
do it correctly.  Don't expect anti-malware programs to always return
you to a usable or prior state to the infection.  Sometimes the amount
of effort to thoroughly get rid of a pest is more than doing a fresh
install of the OS and applications.

Besides, once identified, you yourself could easily just replace the
entire file with an original copy from your backups.  If you don't do
backups then you have deliberately deemed your files as trivial and
reproducible.  You could also install the program in a VM and yank a
copy of the file from there rather than have to uninstall and
reinstall on your host OS.

Quoted text here. Click to load it


Geez, you have no concept of Usenet netiquette.  Signatures should be
4 lines, OR LESS, in length.


Re: Piggyback remover?

Quoted text here. Click to load it

So your real name is "Wolf Kunt" then, pissant horse's arse #2 ?




Re: Piggyback remover?

Quoted text here. Click to load it

Wow.
I don't know what happened to you but maybe you should get a hobby to
get rid of all that aggression somewhere? No, nothing with sharp objects
;)

And FYI, "disinfection" used to be a common function of any antivirus
package. In fact, a number still seem to have this function, like Trend
Micro, but it just never succeeds because it's a rather dumb routine
that is used.

But, looks like I should look into stretching my back, get that "old
school" programming fired up and write something myself, and let usenet
be usenet, filled with so much pointless flinging of obscenities it
makes 4chan's /b/ look like mother Theresa.

Unless anyone that actually reads this has a better idea.

M.


Site Timeline