The infamous email shuffle words virus or something - Page 4

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

This is where it can get hairy... You have to keep an eye on things and
be able to tell the cpu you changed your mind.
 



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

wrote:

Quoted text here. Click to load it

And I don't think the EICAR file does.

Actually, it doesn't really matter as the file isn't supposed to run
anyway.

Re: The infamous email shuffle words virus or something

"Loren Pechtel" wrote:

Quoted text here. Click to load it

[self modification & cache]

Quoted text here. Click to load it

That's true but even if it was intended to be run it's still
irrelevant. Eicar is a 16 bit DOS .com executable not a Win32 or
Win64 PE. This means it doesn't execute instructions directly on the
CPU but in a virtual machine (ntvdm.exe).

I'm not aware of any precautions regarding caching and self modifying
code. I've examined a lot of it in malware and shellcode and seen no
special steps taken.



Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

But the virtual machine isn't an emulator.  The instructions execute
on the raw hardware.  It's just the protected instructions are
trapped.

Quoted text here. Click to load it

http://en.wikipedia.org/wiki/Self-modifying_code#Interaction_of_cache_and_self-modifying_code

It sounds like it isn't an issue at this point.  My understanding is
that originally the you got burned if the instruction had already been
loaded into the chip cache.

Re: The infamous email shuffle words virus or something

"Loren Pechtel" wrote:

Quoted text here. Click to load it

I'm sure you're right about the trapping of interrupts, I/O calls and
other privileged instructions but I'm not so sure about emulation for
16 bit. The processor would need to switch modes and looking at the
exports from ntvdm.exe, with function like GetAX, SetAX and similar
routines for all other registers and flags, makes me think there is
emulation.



Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

Emulation runs *MUCH* slower than the raw hardware.  The dos box
doesn't.  The chip supports 16 bit operation directly, there is no
need of emulation.  Only the protected instructions are emulated.

Re: The infamous email shuffle words virus or something

"Loren Pechtel" wrote:

Quoted text here. Click to load it

I've learnt something by your challenging my preconceptions.
Apparently mode switching is not the problem I thought it would be.

Further checking on how ntvdm works shows that it does indeed run
V86-mode on x86. On a different architecture it has to use full
emulation which might explain those exports I noted.

"When Windows NT is running on an Intel 486 or higher processor, a
 processor mode called Virtual-86 mode is available. This mode allows
 direct execution of most instructions in an MS-DOS-based application.
 A few instructions (such as I/O instructions) must be emulated in
 order to communicate with the hardware. On RISC processors, NTVDM
 emulates all Intel 486 instructions in addition to providing a
 virtual hardware environment".

http://www.microsoft.com/resources/documentation/windowsnt/4/workstation/reskit/en-us/archi.mspx

(In the "MS-DOS Environment" section near the end)



Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

It's not cheap but it's an awful lot cheaper than emulating everything
would.  I've hit one case where it was really bad--graphics.

I was using VMWare which for most purposes is excellent.  (As I write
this I'm in a VMWare machine, in fact.  All web access that I can is
isolated in the VM, it's much easier to restore than a whole machine
would be.)  It can't do graphics, though--under normal conditions you
install a supplied video driver that works fine for anything other
than gaming.  This only works inside Windows, though--dos boxes are
another matter.  Trying to run ordinary 25x80 text mode was slow
enough to really bug me when typing.  Trying to run a program that
used 800x600x256 graphics mode was out of the question.

Microsoft's Virtual PC performed better in this situation but it was
still ugly.

Note that this was some time ago, it might work better on modern
hardware but the need to run the legacy app is now gone, I haven't
tried it.

Re: The infamous email shuffle words virus or something

Quoted text here. Click to load it

Ant, you can fool a lot of people talking like that, but you can't
fool me.  You sound pretty foolish in fact.  "makes me think" LOL
that's a good B.S. catchall phrase, as you can always back out and say
"it looked that way".  As for virtual machine, why don't you use
Google?  http://en.wikipedia.org/wiki/Virtual_machine and see below.
In short, here is the killer sentence that refutes your position: "The
standard x86 processor architecture as used in modern PCs does not
actually meet the Popek and Goldberg virtualization requirements.
Notably, there is no execution mode where all sensitive machine
instructions always trap, which would allow per-instruction
virtualization."

Just like Loren Pechtel said.

RL

http://en.wikipedia.org/wiki/Virtual_machine#Emulation_of_the_underlying_ra =
w_hardware_.28native_execution.29

Emulation of the underlying raw hardware (native execution)

This approach is described as full virtualization of the hardware, and
can be implemented using a Type 1 or Type 2 hypervisor. (A Type 1
hypervisor runs directly on the hardware; a Type 2 hypervisor runs on
another operating system, such as Linux). Each virtual machine can run
any operating system supported by the underlying hardware. Users can
thus run two or more different "guest" operating systems
simultaneously, in separate "private" virtual computers.


The standard x86 processor architecture as used in modern PCs does not
actually meet the Popek and Goldberg virtualization requirements.
Notably, there is no execution mode where all sensitive machine
instructions always trap, which would allow per-instruction
virtualization.

Despite these limitations, several software packages have managed to
provide virtualization on the x86 architecture, even though dynamic
recompilation of privileged code, as first implemented by VMware,
incurs some performance overhead as compared to a VM running on a
natively virtualizable architecture such as the IBM System/370 or
Motorola MC68020. By now, several other software packages such as
Virtual PC, VirtualBox, Parallels Workstation and Virtual Iron manage
to implement virtualization on x86 hardware.

Intel and AMD have introduced features to their x86 processors to
enable virtualization in hardware.

Re: The infamous email shuffle words virus or something

"RayLopez99" wrote:

On May 25, 10:15 pm, "Ant" wrote:
Quoted text here. Click to load it


The intent is not to fool but to learn.

Quoted text here. Click to load it

Not as foolish as you sound for quoting something irrelevant.

Quoted text here. Click to load it

So what?

Quoted text here. Click to load it

It doesn't refute what I said at all. In fact it makes full emulation
more likely. In any case, I doubt they are considering ancient 16 bit
instructions.

Quoted text here. Click to load it

Nothing to do with what he said.



Re: The infamous email shuffle words virus or something

dnQR_Fp7IgEDQnZ2dnUVZ8iKdnZ2d@brightview.co.uk:

Quoted text here. Click to load it

Under an NT based OS, it's completely emulated. 16bit apps are NOT
directly talking to the hardware; Windows is the phonebank.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

"Dustin" wrote:

Quoted text here. Click to load it


Apparently not (on x86).

Quoted text here. Click to load it

True.



Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it
and
for

As I've learned. Thanks for the educational update. [g]
 
Quoted text here. Click to load it

It's a nice emulation effect tho. A cmos view/dump/backup/restore util
I wrote years ago seems to perform it's functions, but the amusing
kicker is the changes are in that ntvdm.exe session only. If I open
another console and run another copy, it doesn't know anything about
any changes and shows me the old cmos before I edited it. Saving my
results is shown to work, but only for as long as the session is open.
The second I close that console; the "change" is lost.

Interestingly enough, int13 appears to actually work on floppy
diskettes. The changes persist, they are actually written over to the
floppy. heh.


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

wrote:

Quoted text here. Click to load it

The hardware access is fully emulated but most everything else
executes on the chip directly.

Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

I wouldn't say it's self modifying in the strictest sense, no. The
thing with self altering code vs data re-arrangement tho is that most
resident virus suites/scanners/whatever go ape shit in a hurry now.
 
Quoted text here. Click to load it

It's just supposed to demonstrate what you should see when your
protection of choice actually sees something. It's saddening that it
ever had to be created in the first place, but that's the majority for
you.
 



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

wrote:

Quoted text here. Click to load it

The EICAR file is self-modifying as you can't code an Int 21h with the
permitted character set.  Thus the Int 21h instruction must be created
mathematically and then written to the code.

Quoted text here. Click to load it

The majority??  It's a *TINY* percentage of people that write the
hostile stuff.

Anyway, it's not so much about what you should see as testing that
your protection of choice is actually working.  Type it in and it
should get zapped.

Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

The majority as I intended was the lamer end users, not the malware guys.
I'm aware of the percentage and a considerable amount more with regard to
the malware scene. I was er, one of them once...
 
Quoted text here. Click to load it

I shouldn't have to "test" my protection. [g]
 



--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

Dustin wrote:
Quoted text here. Click to load it

I never really considered it a test of anything. I only recommended it
to people so that they could see what an alert looks like coming from
their "protection" program. They would be less likely to fall for some
fake-AV script telling them "Blah AV has found suspicious activity and
will scan your system [OK(okay)|X(still ok)]" if they knew what a real
alert looks like.

To really test an AV you need a wide variety of confirmed real malware
to throw at it.


Re: The infamous email shuffle words virus or something


Quoted text here. Click to load it

That's my point, I think. I just didn't consider that people would need
to see the alarm going off to know it was... Stupid move on my part, I
suppose.

Was the test file planned prior to Doren Rosenthals shareware virus?
 


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

Re: The infamous email shuffle words virus or something

Dustin wrote:
Quoted text here. Click to load it

I don't know. Probably because of them/it. I don't think people were as
likely to ever see a real bona fide alert back then, and they *did* want
to be reassured that the "protection" was doing *something* besides
costing them money. :o)


Site Timeline