KRiLE and Zvi Netiv... for old times sake
in [Anti-Virus]
|
Prev: Raid/Dustin Cook Mercilessly Taunts Victim Of His Krile Virus
Next: Proof Of Raid/Dustin Cook's "Snuff" Post To A Woman
From: Dustin Cook on 3 Jun 2010 14:03 http://www.pcreview.co.uk/forums/thread-2000985.php New and Improved: Antivirus Software Invircible Not A Credible Anti-Virus Program Juha Saarinen Invircible has caused a storm in the anti-virus teacup for some time now. Its New Zealand distributor, the Virus Defence Bureau (formerly known as Second Sight Limited) says Invircible is controversial because it threatens the livelihood of other anti-virus vendors, claiming Invircible '. detects all viruses at the point of propagation', and that it 'Finds and repairs ALL viruses [sic] known and unknown.' However, after extensive testing, NZ PC World reached the conclusion that Invircible is a poor anti-virus program that doesn't work as advertised and offers substandard protection against viruses. We advise readers to avoid it. Plethora of programs Priced at $180 ex GST for a single-user licence, Invircible comes with a set of 10 16-bit Dos utilities, and six 32-bit Windows 95/NT modules. Utilities for Windows 3.x are included too, ditto a set of network tools, but we didn't look at those for this review. The Windows 95/NT utilities have similar, easy-to-use interfaces, but the Dos ones vary from app to app. The Dos utilities must be used for the Invircible virus defence strategy but all make use of poorly documented command-line switches. (There is a text file in the compressed archive on IV diskette 1 that explains the switches, but it is deleted after installation.) The Dos programs also suffer from a confusing mel�e of hot keys, pop-up menus, <Ctrl>-key and <Alt>-key combinations, making it nigh impossible to figure them out. Generics not unique to Invircible Invircible's developer, Net Z Computing, say it is based on generic anti-virus methods. Usually, this means change-detecting software, and integrity checkers, which compare system files and alert for modifications. However, all features of Invircible seem 'generic'. To quote from the sales brochure: 'At the point of installation Invircible performs around twenty five generic tests to ensure it is being installed to a clean environment'. The distributor never told us what these 25 tests were, however. Generic anti-virus technologies are nothing new or unique, despite Invircible's developers' and distributors' claims. The first anti-virus products were change detectors, and well-known utilities like IBM Anti-Virus and Dr Solomon's Anti-Virus' signature scanners also use it today. It is disingenuous of Invircible's makers to suggest otherwise. Installation Invircible takes a snapshot of the system during installation as a base for its detection and restoration mechanism so it is vitally important that the program is installed to a clean system. The crude installation routine, consisting of self-extracting Winzip archives with Dos batch files, runs a number of utilities to ensure the system is virus-free. Among these is the IVZ scanner that has 900 signatures in its database and hasn't been updated for over 30 months, according to the distributor. Leading AV scanners detect 15,000 viruses or more in comparison, so IVZ does little to ensure a virus-free environment for Invircible. If a virus is found, IVZ halts to display a report. However, it won't clean the infected files, and continues the installation after the report. Even if you abort the installation, Invircible wouldn't be able to disinfect the system, as it doesn't come with a clean boot disk. The manual recommends in several places that a 'third-party scanner' is used and I think I know why. Invircible also runs the IVX 'hyper correlator' that scans files for virus signatures based on samples given to it. IVX uses a temporary Ini file with the signatures of 22 viruses, but this file is deleted at the end of installation. Finally, IVX is run in Word macro virus detection mode, after which the IVB integrity checker takes a 'snapshot' of system files (including ones infected by undetected viruses) for restoration purposes. ResQDisk then runs and backs up the master boot record and the partition sector. The Windows utilities are installed next. The installation routine doesn't create a rescue disk automatically (this is done with the Dos Install program instead) and doesn't reboot the system, without which the installation won't complete. Even after a reboot, however, Invircible never ceased complaining about an 'Incomplete Installation'. I asked the distributor why, but never received a reply. Annoyingly, the Dos installation path is fixed as C:\IV, unlike the Windows one that can be changed. A bug in the installation routine leaves the Winzip self-extractor waiting for the Dos window to close before the program exits and cleans up its temp files. If you close the Winzip dialogue, a number of temp files are left on the disk. On Windows NT 4.0 Workstation, Invircible must be installed under the Administrator user code, with user permissions set manually. ResQDisk is not usable under NT and IVINIT isn't run at boot up either. The program is limited to scanning for file infecting viruses and macros under NT, and can' t check boot sectors, according to the manual. After installation is finished, there is a green IV icon in the Windows 95 Systray. This gives access to the Macro Sweeper, the integrity checker, a scheduler, options for the Interceptor and Watchdog resident scanners, and also online help. The IVINIT program runs every boot-up from Autoexec.bat, ditto the IVB (twice!) and IVX utilities. IVINIT compares the MBR, partition sector and Cmos with three 'snapshot' files in the root directory. I deleted these, but IVINIT simply recreated them without warning, so a targetted attack against the fixed names of these files would be trivial to implement for virus writers. Documentation a shambles A manual last revised in June 1996 accompanies Invircible and contains nuggets like 'It is yet unsure whether the WinWord macro viruses are the first of a kind or will remain an episode in computer's [sic] virology', and suffers from poor proof reading. It talks about programs not included with the Invircible suite, like IVSCAN and ResQPro, but doesn't mention the Windows programs. The Invircible distributor says an updated manual is available in Hebrew. The online help files are up-to-date, both under Dos and Windows. However, the read-me files with installation information are in Word 2.0 format, unreadable by Wordpad in Windows 95. As there will be situations when the online help files on the hard disk won't be accessible, there is no excuse for the substandard manual. So Does Invircible Work? To find out how well Invircible fends off viruses, I asked Virus Bulletin, the respected UK anti-virus publication to test it. For further information on Virus Bulletin, email editor(a)virusbtn.com or surf to www.virusbtn.com. The Virus Bulletin ran IVZ against its 852-virus test set of file infectors. IVZ detected a mere 53 of these, a detection rate of approximately 6.22%. Of the total set, 172 viruses were represented in the January 1998 Wild List, and IVZ detected 29 of these, or 29%. Both results are extremely poor. IVZ fared better against the 87 In-the-Wild boot sector viruses in the Virus Bulletin test set. It spotted 61, for a detection rate of roughly 70%. However, IVZ missed some of the most common ones like Stoned, Ripper, NYB and WelcomB. Virus Bulletin also tested IVINIT with six boot viruses that IVZ missed: Baboon, Bye, Chinese_Fish, Crazy Boot, Cruel and WelcomB. Two of the most common boot viruses, Form.A and Junkie were also used. With Bye, IVINIT warned that the partition sector was stealthed, and prompted to replace the MBR using Invircible's See Thru (direct IDE port access) technique, and asked to reboot the computer. Afterwards the disk was disinfected. The Crazy_Boot and WelcomB infections followed similar patterns. Baboon made IVINIT flash a '1KB of Dos memory missing!' warning, but confusingly, also 'No virus activity detected in memory'. The default option was to Quit and continue booting. This left the system with an active, infective virus. The Cruel infection followed the same modus operandi. In both cases, ignoring the default option and restoring the MBR disinfected the system. Chinese_Fish rendered the test system unbootable, so ResQDisk was used from a floppy. After finding the right key combination to press in ResQDisk's cluttered interface the system was restored. ResQDisk offers little advice for situations like these so novice users would have difficulties knowing what to do. The common Junkie virus is poorly written and corrupts the Dos 7.x command.com because it ignores the fact that it is actually an Exe-style program. (Invircible's distributor said Junkie trashes Win.com instead.) The system won't boot from the hard disk, and IVINIT can't run. It's not described anywhere, but you need to whip out ResQDisk, restore the boot record and then use IVB to restore Command.com. Virus Bulletin staff observed that during the Form.A infection, IVINIT reported '2KB of Dos memory missing!' but also said, 'The hard disk is infected with a boot infector!' a clear virus indication for a change. However, on acknowledging the message, IVINIT said 'No Virus activity detected in memory!' and 'The Master Boot Sector is intact!' and exited. The VB tester was unable to do anything as Windows 95 started up with Form.A was active and infectious. This is a major bug in IVINIT. Using ResQDisk restored the boot sector, but an average user wouldn't know to use it in this situation. Add-ons asked for The distributor claims that earlier versions Invircible detected and removed a particularly nasty virus, One Half, when it first appeared in New Zealand. I infected a system with One Half, and this time, IVINIT detected the virus by its name, but said to use 'XONEHALF' to disinfect the system. ResQDisk said the same. One Half encrypts a varying number of sectors on your disk, so generic restoration is impossible, hence Invircible's reticence. XONEHALF, a utility not written by Invircible's developers, is not included with the program. It can be download it from Invircible's Web site, a poor solution if One Half has whacked your hard drive. The Monkey virus is also handled by a separate utility, available at the Web site. I also infected a Compaq Deskpro with the common virus Da'Boys. Due to Compaq's non-standard disk partitioning it wrote itself to the boot sector of the diagnostics partition, rendering it unbootable. IVINIT didn't notice this infection, but ResQDisk said, 'Could be a virus!' when coaxed to look at the diagnostics boot sector, where the text string 'DA'BOYS' was clearly visible. The manual suggested procedure for restoring the boot sector didn't work. When I tried it, a message saying: 'This function only supported in RESQPRO!' popped up. RESQPRO is separate utility, priced at $US299, according to the Invircible Web site. I asked Invircible's distributor about this, and was told 'both ResQDisk and the ResQPro can recover from this'. The distributor suggested 'changing the partition parameters', which didn't work either. File infectors given free rein Two integrity checkers are provided with Invircible to handle file infectors: the Dos IVB and the Windows IVB32. When run, the integrity checkers compare files to 66-byte 'snapshot' signature files said to contain all the information necessary to restore them. These 'snapshots' can be renamed and stored off-line, but they can be deleted without any reaction from IVB/IVB32. To see whether Invircible could detect any virus, prevent its propagation and restore the infected files as promised, I used the KRiLE virus. KRiLE attacks executables in the PATH variable, encrypting the first 5,696 bytes of it. Because Invircible's lack of memory resident protection, KRiLE was able to infect as many files it liked. These included the Invircible Dos programs, unfortunately. The Dos and Windows integrity checkers showed that some executables had grown by 5696 bytes, and gave me the option of restoring them. Both programs claimed success, but executing the restored files showed that they didn't work. An email from the Invircible developer, Zvi Netiv, confirmed that this is how the program works. Invircible doesn't prevent virus infections, it only tries to recover from them. Files infected by non-overwriting infectors stand a better chance being recovered by IVB/IVB32. Without testing each and every virus on the Wild List it's hard to say exactly what the chances are. However, it is safe to say that Invircible does not 'find and repair all viruses known and unknown'. (On a side note, IVB restored virus infections to several files that had been disinfected by other AV utilities.) False alerts galore Software upgrades had IVB/IVB32 putting up copious amounts of false alerts as it detected the new files. Messages like 'Winword.exe: modified, increased by xxxxx bytes. Probably a new version pop up', leaving it to you to decide if it's a virus or not. Sometimes the 'probably' doesn't appear so users could easily end up with non-functional systems due to mistaken restoration attempts of legitimate files. IVB/IVB32 can revalidate all the new files automatically, but that could mean missing infected files - permanently. In the end I asked myself: 'why bother with all this?' A good on-access scanner from would have prevented the infections, and saved huge amounts of time. For day-to-day protection against file viruses, Invircible simply doesn't cut it. Sweeping Macro Protection Invircible's Word macro detection seems to have abandoned the generic approach in favour of scanning, based on simple heuristics (that is, rules). Resident on-access protection is also provided. This is because it would be impossible to restore infected documents generically the way IVB does with program files. No Access virus protection Four utilities handle Word macro viruses: the Macro Sweeper on-demand scanner, the Watchdog on-access scanner for Word, and the Interceptor on-access scanner for other applications. Also, IVX can be used to detect macros with the /mac switch. The Macro Sweeper scanner can investigate files with non-standard extensions and handles Word documents embedded in, say, an Excel workbook . It had no problems detecting and deactivating a great variety of Word Basic viruses, but threw up six false positives or 'Suspicious Template' alerts against legitimate macros on the Office 95 CD. Strangely enough, Invircible ignored Word 97 macro viruses like Steroid, and so-called up-converted viruses (Word 97 automatically converts Word Basic macros to the VBA 5 format). A Word 95 document with only the word 'AutoOpen ' in it and saved as a template file with a *.dot extension was flagged by the Invircible macro utilities a 'suspicious template'. Even though there were no macros in the template, the Invircible utilities offered to deactivate them, and claimed success if you let them. This was repeatable with files containing the names of common Word virus macros like 'Wazzu', 'Bandung', 'CAP' and 'Concept'. Further, changing a document template file's extension to *.doc caused Invircible to flag it as an 'Active Document' and prompted to deactivate it. This is a blunderbuss approach to Word macro viruses that catches innocent documents in the process. That Invircible ignores infected Word 97 documents points to the programs assuming the older Word 6/7 format, which is different from the Word 8 file format. Upgrading to a newer version of Office overwrites the Watchdog macros installed into Word's NORMAL.DOT template, but Invircible doesn't notice. The Excel macro virus protection won't work unless the included IVEXCEL.XLS worksheet is loaded manually or at installation. It looks for two strings, 'Laroux' and 'PLDT' - the names of two viral VBA modules. IVEXCEL also takes over the OnWindow, OnSheetActivate, and OnSheetDeactivate VBA events, which meant that undetected viruses like Robocop and Don that don't use the above VBA modules couldn't replicate (but their payloads were intact). Legitimate macros depending on the aforementioned events won't work either. You've been warned. InVircible 7.01f Pros: None significant Cons: Average user will find interface difficult and confusing, poor documentation, and low virus detection rate Value: A disjointed and ineffective collection of utilities that fails to live up to its sales claims Price ex GST: $180 Phone: Virus Defence Bureau, 0-9-366 1593 -- Are you a former BBSer? Want to go back in time to the old days of ANSI and Renegade? Fire up telnet and go here then: ttb.slyip.com
From: Peter Foldes on 3 Jun 2010 17:35 Not quite. The person that it was directed at\to and who brought it up earlier probably got the meaning of the post by Dustin and others who did not know what the earlier post was all about. -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. http://www.microsoft.com/protect "James Egan" <jegan(a)jegan.com> wrote in message news:86qil1FobeU1(a)mid.individual.net... > > On Thu, 03 Jun 2010 11:52:44 -0700, tommyerd(a)who.cares.?.I.don't.com > wrote:
From: Max Wachtel on 3 Jun 2010 18:56 > NOBODY EVER mentioned Invercible or Zvi Netiv in this group for the > last ten years, you lying scum. > Zvi himself has posted within the last 5 yrs. Check your facts. You may FOAD now. -- This post was created using Opera(a)USB: http://www.opera-usb.com Virus Removal Instructions http://sites.google.com/site/keepingwindowsclean/home Max's Favorite Freeware http://sites.google.com/site/keepingwindowsclean/freeware
From: Dustin Cook on 3 Jun 2010 19:04
"Peter Foldes" <maci252211(a)hotmail.com> wrote in news:hu9771$68h$1(a)speranza.aioe.org: > Not quite. The person that it was directed at\to and who brought it up > earlier probably got the meaning of the post by Dustin and others who > did not know what the earlier post was all about. Thanks for showing an intelligence higher than a few other posters here. It went right over their poor little heads it seems. -- Are you a former BBSer? Want to go back in time to the old days of ANSI and Renegade? Fire up telnet and go here then: ttb.slyip.com |