Results 1 to 9 of 9

Thread: Good Virus--Bad Virus

  1. #1

    Good Virus--Bad Virus

    Hi,

    I know there are certain signatures in files that set of a viruschecker. There are several in the RCE-CD contents. One I just came across is in SEHALL.ZIP.The virus refered to is VIRTOOL.WIN32.TRACER and it's in ring32.exe of the zip file OWL-SEH.zip.

    I know OWL is a good guy and I've come across this situation before. But I find references to pseudo-viruses like VIRTOOL.WIN32.Tracer on the net as if they are real viruses (Virii). How do I tell the difference between a malicious virus and one that just happens to have the signature of a virus?

    I've used the search engine extensively to find answers to this but don't see anything.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Yeah, the more recent versions of e.g. Symantec Antivirus have started to detect a lot of things like this. It even detects many keygens and cracks as "hacker tools", and also some normal computer security tools, very annoying. Symantec Antivirus 2004 has some settings for different categories of things to detect and not detect, and hopefully some other antivirus programs have this too. I'd turn off detection of all kinds of "hacker tools" and other crap like that if I were you, it's only annoying and doesn't reduce any dangers at all.

    As you see in the name of the detected item of yours, it is called a "virtool". Most of the time, you can safely ignore any warnings about anything it calls a "hacker tool", "virus tool" or anything like that.

  3. #3
    Quote Originally Posted by dELTA
    As you see in the name of the detected item of yours, it is called a "virtool". Most of the time, you can safely ignore any warnings about anything it calls a "hacker tool", "virus tool" or anything like that.
    Thanks for confirming my suspicions. I've seen references to so-called hackers tools on anti-virus sites but they lump them in with all the other malicious viruses. They should list friendly virii, like the one that infected systems to undo the damage done by MSBlaster. Then again, they're all so paranoid, and so ill-informed as to hacking/cracking, that we are all viewed with a jaundiced eye.

  4. #4
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Quote Originally Posted by WaxfordSqueers
    Thanks for confirming my suspicions. I've seen references to so-called hackers tools on anti-virus sites but they lump them in with all the other malicious viruses. They should list friendly virii, like the one that infected systems to undo the damage done by MSBlaster. Then again, they're all so paranoid, and so ill-informed as to hacking/cracking, that we are all viewed with a jaundiced eye.

    Don't know if I'd go as far as to say that they are uninformed to hacking/cracking. These guys are on top of the game of RCE in my opinion, they have specialized in house toolz to help them with their work even. I would not be surprised if some members of ths board or of othre hacking boards belong the anti virii companies. What better way to stay on top of things? (or hire a hacker to write a new virus for them j/k).

    If we could apply the same technologies to unpacking and auto tools, as antivirus tools perform, we would have some insane power tools. Cracker tools need to start being stepped up a notch or two...for the future.

    -nt20

  5. #5
    Quote Originally Posted by nikolatesla20
    Don't know if I'd go as far as to say that they are uninformed to hacking/cracking. -nt20
    I get your point. What I was getting at are those types who view reversers as bored teenagers without a life. My experience over the years has shown many reversers to have university training as programmers. Rumour has it that +Orc himself may have been such an academic.

    When I first read Matt Pietrek's book on Windows, in which he went right into reversing (aptly calling it spelunking), what struck me was how he was straddling the border between the legal and illegal. He wasn't condoning anything illegal, but he was showing the reader how to go about it. It's similar to another book I read where an author teaches the reader how to make a submachine gun.

    In a recent book, which I've only skimmed, Kris Kaspersky refers to reversers (hackers, he calls them) as criminals, yet he goes to great pains to demonstrate the internals of Softice and IDA. He shows how to defeat Softice, yet points out as well, how a reverser might overcome those tricks. He goes on to demonstrate unassembled code and how to read it. It's like he's saying, "hey all you criminals, here's the right way to do it". It's almost as if Pietrek and Kaspersky are crackers at heart. Ilfak (IDA) and Quine were actually corresponding at one point, through a mutual admiration, as I saw it.

    It seems the elite have a warm spot in their hearts for reversers, but I'm not refering to that group. I'm talking about the crowd who are paranoid about reversers, and would see them all put in concentration camps. They don't appreciate the great skill involved, and that's what I mean by uninformed. Also, they miss the human element. I've never come across a mean-spirited person in the reversing community.

    It would seem anyone with half a brain would admire the great work that has been done in the reversing community. Some of the cracks have been spectacular. But where there's a dollar to be lost, some people are going to behave hysterically. It's this mean-spirited, childishness to which I refer. I guess they never identified with the spirit of Robin Hood, or Santa Claus, for that matter. :-)

  6. #6
    Quote Originally Posted by nikolatesla20
    Cracker tools need to start being stepped up a notch or two...for the future.

    -nt20
    imho, the power of their tools holds, in part, because they never leave the computer of their respective creators. (and well, they can afford a lot more development time)

    There are several great cracking tools, but everytime, their release brought a set of countermesures that specifically targeted the tool.

    95% of the protections I see on the market focus only on "public tools" and "common cracking techniques". I'm sure a lot of people here won't agree, but I guess that sometimes, keeping 'some' information to yourself is the only way to stay one step ahead of the protectionists

  7. #7
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Quote Originally Posted by doug
    imho, the power of their tools holds, in part, because they never leave the computer of their respective creators. (and well, they can afford a lot more development time)

    There are several great cracking tools, but everytime, their release brought a set of countermesures that specifically targeted the tool.

    95% of the protections I see on the market focus only on "public tools" and "common cracking techniques". I'm sure a lot of people here won't agree, but I guess that sometimes, keeping 'some' information to yourself is the only way to stay one step ahead of the protectionists

    Agreed. Excellent point. (How many release groups no doubt have highly efficient SafeDisc removal tools, etc prolly lots that are private).

    However, I also was trying to just get a small bit of play here - what I mean to say is if the tools were more powerful, for example, using regular expression engines, or virtual execution engines even, combined with disassembler engines, the code could be made strong enough to keep up with a protection even if the author tried to change it. Point being most protections use a very broad foundation, and then they just build upon or change small things at a time to break a public tool. If that public tool is powerful enough to recognize the "foundation" of the protection then it will always work more effectively, even when up against protection code changes. For example, not using byte code searches, but using regular expression searches inside a dissassembly engine. Looking for an execution pattern, not a code pattern. And the tool would have to allow end-user modification, to escape common detection. Allow the user to change it's title, its filename, any window names, the works. Maybe even if it's debugger based, allowing the change of the style of breakpoint.

    Yes, such a thing is mind-boggling and insanely complex it seems, but I do think it could be true in the future. I mean at least offering the more powerful abilities would always help.

    Of course if this tool belongs to "a group" it would still be effective even if private..

    And keeping a tool private will always make it more effective, but not necessarily more "powerful".

    -nt20
    Last edited by nikolatesla20; May 19th, 2004 at 09:30.

  8. #8
    qsmt
    Guest

    housecall online scanner

    just wondering if anyone tried to scan the rce-cd with housecall from trendmicro. while norton only found 2 virii, one of which was a hackerTool, housecall claimed this:

    PE CHAMPAGNE-------+Sandman\Files\TheChopper.exe

    TROJ ANSIBOMB.20----Gthorne.zip Layer4 ANSIB20.EXE

    TROJ VZMNUKER.A-----Gthorne.zip Layer2 vzmnuker.exe

    WM DEMONSTRATE----Gthorne.zip Layer3 DMV.DOC

    XM DMV.B-------------Gthorne.zip Layer3 DMVEXCEL.XLS

    HLLP.4631-------------ImmortalDesendants.zip Layer2 ld20kg.exe

    Possible Virus----------LordLucifer.zip Layer2 STNRINGO.EXE

    Possible Virus----------Stone.zip Layer2 STNRINGO.EXE

    HLLP.4631-------------tornado.zip Layer2 ld20kg.exe

    i have not gone through the whole content of the cd yet. so maybe these are virii or asm tutorials. perhaps housecall freaks out on these types of files. i don't know much about this type of stuff but i figured i would point it out in case it could be of interest to some others.

    FYI: i downloaded the rce-cd contents from the woodmann/RCE-CD page. also scan was done before unzipping.

    i shout thanks to all who share their knowledge,
    qsmt
    Last edited by qsmt; June 26th, 2004 at 15:15.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    [QUOTE=qsmt]

    >>>>while norton only found 2 virii,

    I scanned it with AVP and it turned up only the Win32.virtool type virii listed above. As I said in my original post, many of those types are flagged because of the abnormal way in which they are written. Since Norton only found two, and AVP picked out only virtool types, it would seem safe to assume the detections are anomalies. Then again, it's a chance you take.

    I've run those with virtool-flagged virii before with no infection. In fact, if you check out the type flagged by AVP, you can't find descriptions for them anywhere on the net. It seems to be picking up virus signatures and not actual virii.

    One of those included by you was Greythorne's ansibomb. He is a smart dude who wrote his own stuff and that's probably why Trend's virus program flagged it. Since many of those programs are quite dated, it wouldn't hurt to delete them to be on the safe side.

    BTW...IMHO...AVP is still one of the best out there.

Similar Threads

  1. Fake Virus Alert
    By Greyhound2004 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 29th, 2010, 14:45
  2. Java Host Virus
    By OHPen in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: October 12th, 2009, 16:49
  3. Virus Bulletin 2006
    By REBlog in forum Blogs Forum
    Replies: 3
    Last Post: October 20th, 2007, 09:29
  4. Olly 1.10 Virus
    By tureynulal in forum OllyDbg Support Forums
    Replies: 6
    Last Post: July 11th, 2007, 08:51
  5. MYDOOM Virus
    By Polaris in forum Off Topic
    Replies: 13
    Last Post: February 27th, 2004, 02:55

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •