Flag: Tornado!
Hurricane!
|
|
Topic created on: May 4, 2008 13:16 CDT by shakuni  .
There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas? (otherwise I would have to reverse the program myself to find out how it does that)
heuristics and suggestions. this is what does not work - just sucks and gives a lot of false positive alarms, but users love it :=]
however, any process, using OpenProcess/VirtualAllocEx/WriteProcessMemory/SetThreadContext sequence is definitely something you don't want to have on your PC :=]
the problem is: windows doesn't allow you to find a process like this by "fair" way, so, you monitor-tool has to intercept certain APIs, maybe even natives or kernel calls. any error in monitor and... say goodbye to OS. crash, crash, crash. so, don't write monitor-tool. they're either useless, either bring more problems than malware
|
Nezumi is correct.
Many "Monitoring tools" use what I will call "pure signature" based scanning based on recognized "bad bytes" of malicious software. These bad byte sequences can include wildcards to allow matching a family of malware.
Speedbump for signature scanning: packing, encryption, obfuscation.
Solution for packing, encryption, obfuscation:
heuristics, unpacking, un-encrypting.
Problem for unpacking, un-encrypting:
Knowledge of which algorithm/utility was used to pack, encrypt.
Problem for heuristics:
false positives
Tools can also use heuristic scanning.
By and large heuristics are a risky method of detection and it is used less and less nowadays due to security tools using the same mechanisms as the bad guys.
Heuristics breaks down a little more also:
Signature heuristics is scanning a file for recognized sequences of behavior based on code bytes that perform certain behaviors:
One example of behavior is zeroing out a register-
xor eax,eax
sub eax,eax
mov eax, 0
Note that more than one byte sequence equates to the same behavior. Specifically in the above example there are 3 ways to zero out EAX. In addition, note that one behavior is not necessarily one assembly instruction (as in the example). One behavior could be a complex collection of assembly commands.
If the security tool notices enough of these behaviors and in the right combination it throws a red flag that the target of the scan is probably evil.
Then there's executing behavior scanning. In this case security software has hooked system API's and other low level mechanisms and watches for actions taken by executables. The right combination will again set off red flags.
Finally there's sandboxing. This is kind-of like the above but its more thorough and can be used to combat encryption and packing. The security tools emulates the target environment(likely windows itself), well enough that the malware will execute thinking it's on the machine. The malware then unpacks/unencrypts itself and the scanning engine of the security tools can now recognize things. In addition the behavior based capabilities of the security tool are employed until the executable is finished running. The security tool then decides based on behavioral scoring whether the executable is malware. Usually sandboxing is only done on-demand because it is resource intensive.
|
I would just like to add that with Vista SP1, you don't need to write native API hooks anymore (which have always been a bad idea).
The Ps* process monitoring APIs have been greatly enhanced, and the addition of Ob* handle filtering APIs make various kinds of hooks easy to do natively.
(Note: Vista RTM already adds a newly improved registry filtering mechanism, and makes file system filtering even better).
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}