Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: The fully Automated "VirusBusterKit" - A Hype or Reality?

  1. #1

    A fully Automated "VirusBusterKit" - A Hype or Reality?

    Hi guys!,
    myself NickyBlue from India. I came here with a proposal to design a fully automated VirusBusterKit for windows platform. I'll be shedding more light on this proposal (or project) but first give me few days to check this sites topics, or be acquainted with folks here.


    Thank you
    NickyBlue (aka DarkAvenger: The Resurrection)


    error corrected
    Last edited by NickyBlue; October 13th, 2012 at 10:20.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by NickyBlue View Post
    A Hype or Reality?
    I'm going to jump the gun and guess Hype.

  3. #3
    And may I ask you humbly why such negative guess Mr. disavowed? Any concrete basis or its really just a wild guess or comment? ;-)

    Lots of unreasonable and illogical things existing in this world or internet without any base, Why not one more? Illegal I won't say cause its doesn't make sense. After all if we are the folks responsible for all things then legality or illegality of thing don't make any sense.

    And even if I am not that much comp literate as you might be or folks here but it don't seems so unreasonable or unbelievable to me, Its all about a logical interpretation of instructions. Which you all expert at. There's no magic in that, is there? or am I assuming things?

    reply anticipated


    Chupne wale samney aa, chup chup ke mera ji na jala
    Suraj se kiran badal se pawan, kab talak chupegi yeh toh bata - 2
    ... coutrsey UltimateDJ
    Last edited by NickyBlue; October 12th, 2012 at 15:34.

  4. #4

    Question

    Hello folks,
    Since our malware expert Mr. disavowed has already expressed his thoughts and I am seeing some hits over here in such short time. So I think I should ask you about your opinions as well.

    What you think? Is it possible to create such solution? I mean Hype or Possibility?

    And yeah one more thing if possible pls do provide some reason behind your thoughts. At least it'll reduces wild or thoughtless guesses. Just one or two line if you pls. I might wanna say something about it or clarify it. Not an expert but I sure'll try my best and the main thing is I myself might be playing fool with myself in assuming such thing can be accomplished.

    And yeah this time we are here talking about executables right? not .NET or macro or vb script. But the thing is that if you can do it with EXE's which everybody on net promotes as very typical to handle then it won't be that much problem to move the basic logic to suit other type of things as well. And sure we are talking about unknown most typical malware. Polymorphic, metamorphic or whatever you can them with. Most typical right! ...smile.

    Thanking you

    Reasonable replies anticipated!

    NickyBlue
    Last edited by NickyBlue; October 12th, 2012 at 20:57.

  5. #5
    Let me elaborate a little bit more. Actually its something I created on fly to show someone the idea, might help you as well to get what it is all about, Not a final copy though. I mean I am after something like this. And this report also act as a browser (selector) to jump to particular location within the code display window. something like that.

    Name:  Threat-Report.gif
Views: 306
Size:  16.5 KB


    So is it possible to design something like this for typical unknown viruses or malwares?

    Just taking ideas or you can say collecting potential problems. Who knows might be solvable.

    And yes! now what you say Mr. disavowed, does this strengthen your previous guess more But pls do provide some reasons behind them. At least I can expect this from you. I seen somewhere within some forum that you're working as a malware analyst in some security firm for quite a time. So you don't make wild guess, do you? You must have been tackling all those problems and know or been using most of the best tool available for such purpose. So I think we can expect more than than one word reply from you, isn't it?

    thanks
    Last edited by NickyBlue; October 12th, 2012 at 21:38.

  6. #6
    Well,

    Since you deleted your second post, we have no idea what you
    wrote to elicit the response that disa gave.

    You better post some relevant stuff else I will take the word of
    a known virii, malware expert.

    You hear me chirping big bird ?

    Woodmann
    Learn Or Die.

  7. #7
    "You hear me chirping big bird ?"

    Is that the way you always talk to stranger Mr. woodman? And why you be talking any side anyway? Is there some sort of fight going on here? I call him Malware Expert cause I came to know through his own post that he is. Why you taking anybody's side? I just asked for his thoughts or reasons. So I might tell him my own thinking about it. Whats wrong in it? I am not cracking joke on him like the way you seem to enjoy Mr woodman. What's this? You have opened some sort of personnel battle field over here on net? Why you take every thing to be comment Mr. woodman. Not everybody has that style especially when they refer to strangers unless stranger themselves doesn't cross some limit. And tell you my honorable friend I got very big limit or absorbers for such purposes. Do you know me? I sense something. I might be in the wrong place again then.

    And as far as second post you talk about deleted is. It was regarding request for some probable like minded friends who might like to contribute or help try building such thing. But I thought its too premature or might look funny so I deleted it. I don't have copy but you can check your server for that.

    Nicky

    And yes Mr. woodman if there's some private msging mechanisum then pls do use it or inform me so that we don't create mess here. I am new on net so dunno know much about all these things.

  8. #8

    As Above

    Hello,

    Your idea of building a VirusBusterKit is very ambitious. More power to you.

    But if you're saying that it's going to be only for EXE and DLL files, then it does seem a bit limited in scope. Also, remember that Symantec and McAfee themselves, with all resources behind them, sometimes fall to the latest virus and latest malware. There is no available engine and/or kit, which takes care not only all types of virus and malware, but also of unknown, future variety type. In short, that PERFECT VirusBusterKit does not exist. It's always a struggle between the AV and Virus writers. Sometimes, one is on the top - just a matter of state.

    That is, perhaps, why Disa mentioned "Hype"

    To understand how much you really know about malware, perhaps you should start by enumerating the many WAYS in which malware can get into your system. If you don't know about that, you are just "another guy with big ideas".

    This point, that you are just "another guy with big ideas" is strengthened by the fact that you mention you're going to do this with EXE and DLL, but leave other types of malware because "same principles can be applied to other types". This smacks of sheer laziness. Or lack of knowledge. Or both. Hence, it's categorized as Hype.

    Finally, note your multiple posts. There are volumes of words, most of them trying to be "cutesy" and "energetic" - and more in place on a social networking site than a board. The actual discussion about the tools you are asking are lost in the cacophony of your posts that are in no way related to the question or answers you are getting.

    We are all happy to help you. But you have just been asking "metaphysical" questions - is this possible, is this not possible, why do I exist, et al. I don't see code, questions about code, or the areas where you are stuck. That is what you will need to give us over here.

    You have deleted your second post, but you were recruiting in that. You had asked for about 10 people on this board, 6 for coding and others for something else (can't remember) while you "headed" the process. If that's the case, just ask on the board then.

    Bottom line - either ask for help and provide the code and description to show that you have done work and are stuck and we will all help you.

    Right now, you sound like a school kid seeing naked breasts on the internet for the first time.

    And by the way - you spelled decrypting incorrectly in your screenshot.

    Have Phun
    Blame Microsoft, get l337 !!

  9. #9
    Hi Aimless,
    Nice for providing such descriptive response..at least it clarify the communication mix up happening. You understand my point. I mean I am not native English so its little bit typical thing for me. I have to construct sentences into my mind before I say. U understand What I am saying...Its another thing with our native language. So forgive my literal errors. And about the word "recruitment"...you know that's why I deleted that thing ...On later It started looking like that to myself as well. First to tell you. I am not from some company here to recruit somebody. Actually I just wanted to say the things I think wud be necessary to build such thing. But due to my English it not that easy for me as for you to do effective communication in that. Sometime.. u know...

    And secondly its just purely a hobby or some kinda open source project that I am thinking not commercial. I might even not be there after I complete my part or some other unforeseen personnel circumstances. And you are right about that Symantec and other Antiviruses products inability to detect all or the unknown viruses. Only my experience is rather more of a worst kind. To the extend that it really make me wonder sometimes that, are they really doing some heuristic there at all within their implementation or its all hype, no meat.

    Tell you the real example my own experience. I might not be formal computer educate like some of you but been using it for last 15 yrs or so. So I seen and heard everything they talk about during all this time but never found a valid proof which supports their claims. My machine is always being as vulnerable or getting easily infected no matter what product I used. Whenever I go..I mean there's a cyber cafe near my residence always equipped with up to date online virus scanner. But whenever I go there some thing is shipped backed to my system through USB stick. And to make thing more horror full what I found is that, the thing which have been able to bypass their antivirus protection or of mine's were just crap. I mean simple infectors. I got those samples somewhere in my computers, not all of them but few recent additions. My previous hard drive got hard crashed. Latest one was some cheapshit W32.Sality but its understandable its was some typical infector if not that stealthy. But before that it was ...what its name let me check out. ..I got that thing here with me... yeah Slug-in.A. That's one piece of primitive shit to remove. But to make thing more worse I couldn't find a cure for it on whole net at that time or anywhere. Even the cure I downloaded from AVG or anything came are to be not working. So in the end I have to write my own little program to remove it from my system. And you guess my problem I am not even a programmer. Since all my things or installers is on my hard drive so were already infected. I couldn't lose them. CD/DVD not so reliable here. Over all what I am saying if they have implemented some thing what they say how could such primitive infector bypass them. Or am I supposed to think I am some sort of criminal in this world so this whole world is conniving against me. And those state-of-the-art products are providing such privilege to worthless malicious code only on my system. Am I supposed to think that? I think that very pathetic or funny concept in itself to think in that line whichever way you see it. Okay tell me, you guys been working professionally on these things so you must had more wider experience than me. I mean I just know few which infiltrated or has been injected by some mischievous ppl into my system. But have you ever encountered ...anybody of you, that some antivirus product has detected some new malware. Totally new I mean? Except false alarms for various packers. I mean I never had that experience but rather contrary to it.

    And the thing is..most of you guys working in that field so must know the difficulty of that thing. If I have to check my system for such things I am afraid to say these IDA pro and whatever they are just I don't wanna say anything about that. I mean its really a mess working with them. Better that I re-install windows. It might not be problem for you guys you have been working with them since your college days and you are always into it cause its your profession but for a person like me. ...WOW! I don't think so. I need something more effective and easier to handle. The problem with me is more severe that I really suspect (or rather suspect is foolish word now) that there are some folks, very well reputed folks within my circle who are intentionally and unnecessarily creating problem into my system. And such type of intentional infiltration by somebody which is not supposed to do it at first place (use your goodness) is some sort of typical or metaphysical concept in itself to deal with. or in plain words a real real nuisance. You said you should know how some malware can come into your machine I tel you just a small part of it and how much nuisance it can be to handle it even that side of thing with IDA Pro or your Ollg dbg. Since now a days OS itself have blotted or memory constraints are not there like in old DOS days. So if I have to write a virus. I wudn't be infecting at the entry point. Better is to use export/import table, relocation table as guide to get such pointers or just decode the program to find a suitable point in-between more over I can do it in stag-erred way spreading the whole virus body among various call across the whole program. And if it wud have been a 30 MB file(not so rare now a days) it'll take a hell of a lifetime of yours to statically analyze that file in any latest current tool available be it IDA Pro or Ollg or whatever other disassembler, decompilers you got out there. And if you go on run time analysis you open yourself a hell of a new type of new problems ... what you guys call anti debugging or VM retaled issues. or whatever sensitive awareness thing. You just hitting the black box that something might come by negligence or magic to you to trap it. The problem will be more severe if its already installed into system. You all being doing all these things u know about the messiness or difficulty of problem. I wud rather kick computer out of my life.

    So what I want to say I have been in this shit for long, confronting lots of problem. Trouble shooting my home system. And I have some inherent love for computer or processor. That's why I read Intel manual out of my curiosity. I mean I am not computer professional why should I be interested in all that? But I do read them (SOME SOME) likea you read novel. Computer is my sort of hobby, liking not my profession. So I thought lot of folks doing open source this and that, so lets start something a hobby project nothing serious like that. I have a idea of building a code analyzer, sort of Virtual machine not in the line of Symantec pls but a real virtual machine kinda logic which can analyze the whole executable in a logical way. Like it is supposed to be executed within real system. But we don't run actual virus code. we calculate its results (instruction execution). We don't monitor things we interpret things like it is there.

    Such as decryption/ encryption or packer/unpacker, we create a logic which interpret the thing like you do when you are watching it in debugger. It don't run the routine under some VM. It must also have the ability step the whole description or unpacking or packing. Not some black box approach. If you use black box approach you bound to fail on occasionally. Yeah sometime or we provide options to speeding up the thing. Like decryption routine there is. We first beak it into individual loop. Then the analyzing code should be able to tell its both bounds or detect if this loop gonna create problem if run in single step ( I mean run). Like the anti-debugging tricks you encounter in your daily life. Not all anti-debugging tricks cause lots of it cease to exist in this mode. But like loop overwrite in between its execution could create a problem. So your analyzer have to be that smart if it had to do it fast way otherwise go the more reliable slower way. You guys always facing those things so I came here to collect various kinda problems that could be anticipated. That's why I started it as question... I think I started too early But yes we could be specific about those things like unpacking or decryption. Or decoder/encoder database ..like usually you keep instruction format to help aid dissembling instruction. But to have a better analysis we must have few more fields i.e instruction template/or simulation routines for some system instructions, Exception list and logic (can be build directly from Intel manual actually lots of other things as well) etc to simulate the real environment that is possible. And a good structured analysis database to store intermediate results and it should be designed such that we don't miss a single piece of information about its running condition. And I think its achievable to extreme where you need lot hell of a hard drive space to comfortable level where you need just few times the file size. Something like this... And you got to analyze things in logical way. For example you just can't start disassembling from entry point. There are various entry point present within header which can be executed first like one of your TLS code. You know all the things far more better that's where you wud be helping me cause you're already doing it what if manually. All I wanna say is to decode in logical way like always push the next instruction into temp stack and follow the call. Hit the error condition follow processor logic. Exceptional handler whatever... That way lots of problems can be handled automatically without much fuss. And decoding will be very true. There are some finer aspect but that you 'll be patching or taking care of as they come. Simple! I had some previous work which unfortunately or whatever I lost in my hard drive crash few months ago. Actually it wasn't the runnable project something of pseudo code style or actually C code but lacking some outer construct. Actually I builded all the necessary header files, Data structures, Processor database (almost completed that) but lost it. And moreover I forgotten most of them now...smile..Actually its a mode you working in at that time your mind thinks or breath that frequency. But if you leave computer for few months or year then it takes time to recollect. So I am going to start it again or already started in slow pace so most probably I'll be getting up in few...u know.. Yeah first thing I am gonna compile instruction database but since it takes undivided attention for full 1 or two weeks (now probably two) to devel that deep into the Intel or AMD manual especially for a guy like me so I am putting it off for some time. This time I am just recollecting or building my mind again about the whole concept.

    And again since I lack some formal computer knowledge ...like I reported that in 2nd post about header files. I wrote it because I am not comfortable with typical compiler directive cause never used them ..no need comes by. And if I have to do it by myself I wud really have to dig deep into their manuals which certainly not that much a easy task for me...will cost time.. And with parsing headers I mean I am not just interested in equates here..that this = this... u know I need or I think that whatever is their in the header files including compiler pre-processor directives I think our objective is to encode most of the logic into the database. I mean it more or less look like a compiler parsher has parshed it inot memory. But I think that kinda knowledge is needed to make analytical engine more reliable and effective. I am not thinking about creating some decompiler or disassembler or debugger. or an other virtual machine software like your Symantec ppl talk about but a simple code analyzer. Which can interpret or analyze the whole logic their is within the program. So escaping concept is not valid in our context. But the fact is if you have to create such so called simple analyzer you'll have to include all of these tools quality into one place place some more. That's one of the difficult thing about. It gonna be some huge coding to cover all those aspects. Some very typical routine to be coded but that where the fun in it or challenge. That's why I am trying it. That's the fun of having a hobby like this.

    Last of all its just a hobby project. If it completes, good! its gonna help myself! If not than I am not putting voucher against anybody for my wasted time. So you see how I have been doing it whenever I get time or mood I just think about it, open my VISUAL IDE. just put some more code or pseudo logic. otherwise just forget about that thing. I mean its not my necessity, I am not gonna startup something with that product. I am not gonna setup some lab like some of the you guys here. All I need such thing for my personnel use sometime. Actually tell Mr. Aimless. I don't have that much of a macro or vb script problem. Cause basically I don't use Microsoft word,excel or anything. I use simple Uedit for my edits or acrobat, HTML. I means these are the documents I usually use. VB script thing is easily stoppable and recognizable. .Net I don't have any such thing but Visual studio itself. Other things I use are media players, some DAW, DJ software I mean recreational software. So the basic problem is Exe for me. Sorry to be so selfish. But u understand that. And why I said that is ..I mean can be basic logic move to...actually I know you are also right they are different environment. But what I was talking they are all programming languages. They have some basic control construct. Its not about decoding instruction. Its about how to relate those instruction into a logic or entity? I can't find exact word for it but you get the idea.

    Okay lets complete it here...I mean ..but lets me ask you one simple question. We all talk about this polymorphism that thing. I seen them from DIE-HARD 2 to one-half...Darkavenger....seen those code. been into my system by the grace of folks around me ...haha. I mean never done details just loaded them within debugger or Sourcer diassembler famous at that time. And there decryption routines were so obvious once you fire it in debugger. They are all just garbage inserted everywhere within code body to achieve polymorphism at that time. Which if you think logically if your analyzer have been built in logical way. I mean real virtual machine kinda thing. The first time you encounter those faulty redundant opcodes you know there's something fishy about that. Compilers don't generate such kinda redundant or unnecessary opcodes. The problem was what what you should have interpreted like instruction you are interpreting likea some string even what if * pattern string. But my real question is, isn't it had been more appropriate to perfect our analyzer logic in the direction of detecting Executable infection routines rather than perfecting our other kinda heuristic detection whatever pattern or whatever not. Cause if its file infector less trojan kinda thing it got to have such infection mechanism. Which is its main inherent property rather than anything else. If you checking if its man or woman, you got to be looking somewhere else more appropriate, no? Second why is there never a mechanism is inbuilt into the various virus monitoring programs from such reputed companies to inform user if some executable is being appended or modified. That won't create much false alarms in real life systems. Especially which ain't understandable. One knows when he's compiling or using such potential things even if your monitor can't differentiate it. Instead a complicated jargon or difficulty in detecting scan strings or heuristic is being propagated. Why a few line solution into your monitoring programs were sidelined in favor of complex un-understandable heuristic search thing to bog down the normal user system? I mean what's the logic in that kinda monitoring. Where you should be searching or reading or analyzing things (VM) you are talking about running the code and where you are supposed to provide some simple hooks to trap such calls, you are searching so called millions of bogus strings? I mean since you have been doing that way in VM so the problem which shouldn't be there become a major problem and same is the case here on this side of things. Had it had been the other way 90% of problems simply cease to exist at the first place. I mean this kinda thing seems to be illogical to me. There a right way every thing has to be done. For ex: if you want to sneeze what you do bring your hand directly to your nose right? You don't do it like rounding through back of your head and grabbing it from different direction, do you? Such thing bound to create problems, either for your nose or for your hand, isn't it? Either your nose gonna get twisted or your hand gonna get twisted or possibilites are that both of them will be. So my saying is this kinda negligency is going on since DOS days. We came all the way through win31 to win95/98 to XP now win 7. I don't know whats the status of win 7. I don't have that machine. I run win XP SP3 on my home computer which is 2.8 GHZ Intel machine. I mean this kinda thing should have been implemented within file system drivers of OS itself but they ignore it all the way and our reputed antivirus companies as well never find it a attractive proposition. Instead they began talking about virus in millions which were actually few at that time. Yeah one more smart thing they do. You check any product. When they scan they include the simple "txt" files or other invalid file into there scanned object counter. Very good at that. That's one of nice marketing strategy. I mean this hell of the way to take literal meaning of scan too far, No?

    Last of all, I am just asking you, or I asked you in the first place. Its not that I have some serious project or you leave all your work or try answer or discuss with me. IT was more likea that during your normal day to day working if you any time just drop one or two line or some link telling me that could be the problem. How you gonna achieve that. So I might be trying explain it from my side that how I think that could be overcome. Just simple talking nothing serious. And you always reminding me of disavower. I don't have any problem with him. I can understand his what you call it...his umm way of saying things, style, np. But I sure find it offensive on part of Mr. Woodman. I think you should better take care of thing better. You are administrator here.

    And if you referring to Hindi song lyric it has nothing to do with anybody of you here. But I sure have to deal with lots of diff world within the same world. You won't understand it or if you do then you won't admit it, I know. So I don't think its valid to discuss such things. But because if you dealing continuously with some kinda aspect it bound to affect your speech or behavior sometime..locally I mean. That's how we human interpret thing. We emulate the environment within our-self. So for sometime local coloring kinda thing remain. That's how you enjoy movie or understand what the man in front trying say. Nothing to be taken so serious anyway.



    Thank you.

    Last time addition: Sorry I forget to cover one more point stated by Mr. Aimless in his post to me. About me heading the process. I never proposed that, or rather I never could unless its only me solely creating it in the first place. You understand the logic Mr. Aimless? I know my limitation as a programmer. That's why I clearly stated many times that I am not a formal computer educate. I never done that much of system debugging or exploration as well. Since its not my profession and the tools available weren't of my liking. Had it been my profession then even if I have to do it machine code way, hexa bytes. I wud surely have done that. But since its not so I din't find it a that much of a interesting? thing.

    All I said that I can do decoder/encoder part plus database and some semantics specially hardwired to decoder/encoder part. I can help preparing the base. Like your IDA Pro has IDA disassembler base. And real good base that much I can assure. But just that! That's why I said in starting lines that I might not be here after completing my part if given me to perform. It's just a hobby that I came here. I got some free time and interest in such things. I know some basic Intel assembly, or C, C++ knowledge, not that complicated I mean. Simple fundamental knowledge and I think that's enough for designing such logic. And if I get problem I wud be asking you to help me out, right. You can head it. You might be permanent member here. So even if I am not here the project would be running by you guys, It doesn't make any difference, right? Actually I myself searching for knowledgeable person to head it. I think that clarifies my position regarding that.


    Note: Forgive me if still there are some errors left.
    Last edited by NickyBlue; October 13th, 2012 at 09:08.

  10. #10
    I will wait for the movie to come out.

  11. #11
    Hi VirusBuster!
    Visited your site. And yeah hope you won't get disappointed when its time of premier comes. After all its your Kit
    Last edited by NickyBlue; October 14th, 2012 at 01:20.

  12. #12
    This is starting to turn into................

    Your long winded diatribe is well, long winded.
    I and Aimless have asked you to either clarify what you want,
    or ask a direct question in regards to code.

    Since you dont hear me chirping I will chirp a little louder.

    What the fuck do you want ?

    OBC

    Welcome to the net.
    Learn Or Die.

  13. #13
    NickyBlue
    #5 scr. - purebasic ?

    Let your tool for test

  14. #14
    Thanks!... Just give me some time... and by the way, I have been on net quite long not into any forum or sites as such though.

    Anyway I yesterday I found "Murder on the Orient Express" by Agatha Christie on net. Never read her before just heard her name a lot.. so currently enjoying her mystery novel... kinda in middle of interrogation things goin on ...so pls excuse me.

  15. #15
    If I am not wrong he wants to do a tool like Buster Sandbox Analyzer.

    Well, when I say he wants to do I mean he wants other people code the tool and he just says what the tool must do.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Can't "Step" after "Pause
    By Lena in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 5th, 2004, 21:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •