Log in

View Full Version : Good Virus--Bad Virus


WaxfordSqueers
May 16th, 2004, 19:44
Hi,

I know there are certain signatures in files that set of a viruschecker. There are several in the RCE-CD contents. One I just came across is in SEHALL.ZIP.The virus refered to is VIRTOOL.WIN32.TRACER and it's in ring32.exe of the zip file OWL-SEH.zip.

I know OWL is a good guy and I've come across this situation before. But I find references to pseudo-viruses like VIRTOOL.WIN32.Tracer on the net as if they are real viruses (Virii). How do I tell the difference between a malicious virus and one that just happens to have the signature of a virus?

I've used the search engine extensively to find answers to this but don't see anything.

dELTA
May 17th, 2004, 06:09
Yeah, the more recent versions of e.g. Symantec Antivirus have started to detect a lot of things like this. It even detects many keygens and cracks as "hacker tools", and also some normal computer security tools, very annoying. Symantec Antivirus 2004 has some settings for different categories of things to detect and not detect, and hopefully some other antivirus programs have this too. I'd turn off detection of all kinds of "hacker tools" and other crap like that if I were you, it's only annoying and doesn't reduce any dangers at all.

As you see in the name of the detected item of yours, it is called a "virtool". Most of the time, you can safely ignore any warnings about anything it calls a "hacker tool", "virus tool" or anything like that.

WaxfordSqueers
May 17th, 2004, 18:38
Quote:
[Originally Posted by dELTA]As you see in the name of the detected item of yours, it is called a "virtool". Most of the time, you can safely ignore any warnings about anything it calls a "hacker tool", "virus tool" or anything like that.


Thanks for confirming my suspicions. I've seen references to so-called hackers tools on anti-virus sites but they lump them in with all the other malicious viruses. They should list friendly virii, like the one that infected systems to undo the damage done by MSBlaster. Then again, they're all so paranoid, and so ill-informed as to hacking/cracking, that we are all viewed with a jaundiced eye.

nikolatesla20
May 17th, 2004, 22:09
Quote:
[Originally Posted by WaxfordSqueers]Thanks for confirming my suspicions. I've seen references to so-called hackers tools on anti-virus sites but they lump them in with all the other malicious viruses. They should list friendly virii, like the one that infected systems to undo the damage done by MSBlaster. Then again, they're all so paranoid, and so ill-informed as to hacking/cracking, that we are all viewed with a jaundiced eye.



Don't know if I'd go as far as to say that they are uninformed to hacking/cracking. These guys are on top of the game of RCE in my opinion, they have specialized in house toolz to help them with their work even. I would not be surprised if some members of ths board or of othre hacking boards belong the anti virii companies. What better way to stay on top of things? (or hire a hacker to write a new virus for them j/k).

If we could apply the same technologies to unpacking and auto tools, as antivirus tools perform, we would have some insane power tools. Cracker tools need to start being stepped up a notch or two...for the future.

-nt20

WaxfordSqueers
May 18th, 2004, 00:51
Quote:
[Originally Posted by nikolatesla20]Don't know if I'd go as far as to say that they are uninformed to hacking/cracking. -nt20


I get your point. What I was getting at are those types who view reversers as bored teenagers without a life. My experience over the years has shown many reversers to have university training as programmers. Rumour has it that +Orc himself may have been such an academic.

When I first read Matt Pietrek's book on Windows, in which he went right into reversing (aptly calling it spelunking), what struck me was how he was straddling the border between the legal and illegal. He wasn't condoning anything illegal, but he was showing the reader how to go about it. It's similar to another book I read where an author teaches the reader how to make a submachine gun.

In a recent book, which I've only skimmed, Kris Kaspersky refers to reversers (hackers, he calls them) as criminals, yet he goes to great pains to demonstrate the internals of Softice and IDA. He shows how to defeat Softice, yet points out as well, how a reverser might overcome those tricks. He goes on to demonstrate unassembled code and how to read it. It's like he's saying, "hey all you criminals, here's the right way to do it". It's almost as if Pietrek and Kaspersky are crackers at heart. Ilfak (IDA) and Quine were actually corresponding at one point, through a mutual admiration, as I saw it.

It seems the elite have a warm spot in their hearts for reversers, but I'm not refering to that group. I'm talking about the crowd who are paranoid about reversers, and would see them all put in concentration camps. They don't appreciate the great skill involved, and that's what I mean by uninformed. Also, they miss the human element. I've never come across a mean-spirited person in the reversing community.

It would seem anyone with half a brain would admire the great work that has been done in the reversing community. Some of the cracks have been spectacular. But where there's a dollar to be lost, some people are going to behave hysterically. It's this mean-spirited, childishness to which I refer. I guess they never identified with the spirit of Robin Hood, or Santa Claus, for that matter. :-)

doug
May 18th, 2004, 19:39
Quote:
[Originally Posted by nikolatesla20]Cracker tools need to start being stepped up a notch or two...for the future.

-nt20


imho, the power of their tools holds, in part, because they never leave the computer of their respective creators. (and well, they can afford a lot more development time)

There are several great cracking tools, but everytime, their release brought a set of countermesures that specifically targeted the tool.

95% of the protections I see on the market focus only on "public tools" and "common cracking techniques". I'm sure a lot of people here won't agree, but I guess that sometimes, keeping 'some' information to yourself is the only way to stay one step ahead of the protectionists

nikolatesla20
May 19th, 2004, 09:22
Quote:
[Originally Posted by doug]imho, the power of their tools holds, in part, because they never leave the computer of their respective creators. (and well, they can afford a lot more development time)

There are several great cracking tools, but everytime, their release brought a set of countermesures that specifically targeted the tool.

95% of the protections I see on the market focus only on "public tools" and "common cracking techniques". I'm sure a lot of people here won't agree, but I guess that sometimes, keeping 'some' information to yourself is the only way to stay one step ahead of the protectionists



Agreed. Excellent point. (How many release groups no doubt have highly efficient SafeDisc removal tools, etc prolly lots that are private).

However, I also was trying to just get a small bit of play here - what I mean to say is if the tools were more powerful, for example, using regular expression engines, or virtual execution engines even, combined with disassembler engines, the code could be made strong enough to keep up with a protection even if the author tried to change it. Point being most protections use a very broad foundation, and then they just build upon or change small things at a time to break a public tool. If that public tool is powerful enough to recognize the "foundation" of the protection then it will always work more effectively, even when up against protection code changes. For example, not using byte code searches, but using regular expression searches inside a dissassembly engine. Looking for an execution pattern, not a code pattern. And the tool would have to allow end-user modification, to escape common detection. Allow the user to change it's title, its filename, any window names, the works. Maybe even if it's debugger based, allowing the change of the style of breakpoint.

Yes, such a thing is mind-boggling and insanely complex it seems, but I do think it could be true in the future. I mean at least offering the more powerful abilities would always help.

Of course if this tool belongs to "a group" it would still be effective even if private..

And keeping a tool private will always make it more effective, but not necessarily more "powerful".

-nt20

qsmt
June 26th, 2004, 15:07
just wondering if anyone tried to scan the rce-cd with housecall from trendmicro. while norton only found 2 virii, one of which was a hackerTool, housecall claimed this:

PE CHAMPAGNE-------+Sandman\Files\TheChopper.exe

TROJ ANSIBOMB.20----Gthorne.zip Layer4 ANSIB20.EXE

TROJ VZMNUKER.A-----Gthorne.zip Layer2 vzmnuker.exe

WM DEMONSTRATE----Gthorne.zip Layer3 DMV.DOC

XM DMV.B-------------Gthorne.zip Layer3 DMVEXCEL.XLS

HLLP.4631-------------ImmortalDesendants.zip Layer2 ld20kg.exe

Possible Virus----------LordLucifer.zip Layer2 STNRINGO.EXE

Possible Virus----------Stone.zip Layer2 STNRINGO.EXE

HLLP.4631-------------tornado.zip Layer2 ld20kg.exe

i have not gone through the whole content of the cd yet. so maybe these are virii or asm tutorials. perhaps housecall freaks out on these types of files. i don't know much about this type of stuff but i figured i would point it out in case it could be of interest to some others.

FYI: i downloaded the rce-cd contents from the woodmann/RCE-CD page. also scan was done before unzipping.

i shout thanks to all who share their knowledge,
qsmt

WaxfordSqueers
June 27th, 2004, 20:30
[QUOTE][Originally Posted by qsmt]

>>>>while norton only found 2 virii,

I scanned it with AVP and it turned up only the Win32.virtool type virii listed above. As I said in my original post, many of those types are flagged because of the abnormal way in which they are written. Since Norton only found two, and AVP picked out only virtool types, it would seem safe to assume the detections are anomalies. Then again, it's a chance you take.

I've run those with virtool-flagged virii before with no infection. In fact, if you check out the type flagged by AVP, you can't find descriptions for them anywhere on the net. It seems to be picking up virus signatures and not actual virii.

One of those included by you was Greythorne's ansibomb. He is a smart dude who wrote his own stuff and that's probably why Trend's virus program flagged it. Since many of those programs are quite dated, it wouldn't hurt to delete them to be on the safe side.

BTW...IMHO...AVP is still one of the best out there.