From: David H. Lipman on 14 Mar 2010 12:28 From: "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> | On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> | wrote: >> From: <spi...(a)freenet.co.uk> >> | And verily, didst Karthik Balaguru <karthikbalagur...(a)gmail.com> hastily babble >> thusly: >> >> [Karthik Balaguru] >> >> So, does it imply that the virus scanners check for >> >> malicious system calls from malicious applications >> >> in Windows ? Are there any opensource implementation >> >> of those virus scanners that check for malicious >> >> system calls from certain applications in Windows ? >> | No, it means the virus scanners don't scan running processes. >> | They scan files on hard disk and in e-mails/other network related stuff that >> | are destined for transfer to windows based networks/machines... and then >> | quarantine anything that matches a virus profile. >> McAfee scans running processes. | Interesting. So, does McAfee also check for malicious calls from | malicious applications ? | But, i think McAfee is not an opensource software.So, | any other open source virus scanner that supports the | feature of checking the malicious calls from malicious | applications ? | Thx in advans, | Karthik Balaguru Define: "malicious calls" -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Matt Giwer on 15 Mar 2010 02:43 On 03/14/2010 09:57 AM, Karthik Balaguru wrote: > On Mar 14, 6:08 am, "David H. Lipman"<DLipman~nosp...(a)Verizon.Net> > wrote: >> From:<spi...(a)freenet.co.uk> >> | And verily, didst Karthik Balaguru<karthikbalagur...(a)gmail.com> hastily babble thusly: >>>> [Karthik Balaguru] >>>> So, does it imply that the virus scanners check for >>>> malicious system calls from malicious applications >>>> in Windows ? Are there any opensource implementation >>>> of those virus scanners that check for malicious >>>> system calls from certain applications in Windows ? >> | No, it means the virus scanners don't scan running processes. >> | They scan files on hard disk and in e-mails/other network related stuff that >> | are destined for transfer to windows based networks/machines... and then >> | quarantine anything that matches a virus profile. >> >> McAfee scans running processes. > Interesting. So, does McAfee also check for malicious calls from > malicious applications ? > > But, i think McAfee is not an opensource software.So, > any other open source virus scanner that supports the > feature of checking the malicious calls from malicious > applications ? Last I heard, McAfee looks at discovered viruses, finds patterns in them and then scans for that pattern. This works as once a new nasty exploit is discovered it spreads with minor changes around the core exploit like which IP to go to for instructions. I have not heard of anyone being able to predetermine what to scan for in applications as something one does not want. Were that the case, all formatting programs are trojans and all updating software are making unauthorized calls to MS or yum repositories. -- Before the Gaza massacre Israel was given the benefit of the doubt. With Gaza Israel removed all doubt. -- The Iron Webmaster, 4237 http://www.giwersworld.org/antisem/ Antisemitism a10 Mon Mar 15 02:37:47 EDT 2010
From: FromTheRafters on 15 Mar 2010 08:01 "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> wrote in message news:4ddd456e-dd1c-4e5c-8d14-6a1d2dbf3f6b(a)l12g2000prg.googlegroups.com... On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: <spi...(a)freenet.co.uk> > > | And verily, didst Karthik Balaguru <karthikbalagur...(a)gmail.com> > hastily babble thusly: > > >> [Karthik Balaguru] > >> So, does it imply that the virus scanners check for > >> malicious system calls from malicious applications > >> in Windows ? Are there any opensource implementation > >> of those virus scanners that check for malicious > >> system calls from certain applications in Windows ? > > | No, it means the virus scanners don't scan running processes. > | They scan files on hard disk and in e-mails/other network related > stuff that > | are destined for transfer to windows based networks/machines... and > then > | quarantine anything that matches a virus profile. > > McAfee scans running processes. > Interesting. So, does McAfee also check for malicious calls from malicious applications ? But, i think McAfee is not an opensource software.So, any other open source virus scanner that supports the feature of checking the malicious calls from malicious applications ? Readers of this thread might also find this interesting: http://vx.netlux.org/lib/afc08.html
From: Karthik Balaguru on 16 Mar 2010 01:41 On Mar 14, 9:28 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: "Karthik Balaguru" <karthikbalagur...(a)gmail.com> > > | On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> > > | wrote: > >> From: <spi...(a)freenet.co.uk> > >> | And verily, didst Karthik Balaguru <karthikbalagur...(a)gmail.com> hastily babble > >> thusly: >> >> >> [Perumal] >> >> >> Hi, >> >> >> Is there any way which I am tell whether an application is malicious >> >> >> or not by looking at the system calls made by the application? >> >> >> Thanks In Advance, >> >> >> Perumal >> >> >> [Marc Stan] >> >> >> If i've understood your question there exists a project called REMUS hosted >> >> >> on sourceforge; it monitors system calls made by 'dangerous' processes such >> >> >> as daemons and, accordingly with a database of 'good behaviours' >> >> >> (i.e. right parameters in syscalls ecc ecc), tells you weather a call is >> >> >> malicious or not. Unfortunately it works only with 2.4 kernel...but if you >> >> >> like you can always make a port. >> >> >> Hope helped you. >> >> >> Marc Stan >> >> >> [Karthik Balaguru] >> >> >> Coool ! Thats great :-) >> >> >> I have been looking for a similar tool but for 2.6 kernel. >> >> >> But, won't any open source virus scanner tools use this >> >> >> trick too apart from other scanning tricks to contain >> >> >> few malicious applications that make malicious calls ? >> >> >> Is it not useful for virus scanner to use this methodology ? >> >> >> Thx, >> >> >> Karthik Balaguru >> >> >> [Bill Marcum] >> >> >> Most virus scanners that run under Linux are used to scan for viruses that >> >> >> attack Windows. > >> >> [Karthik Balaguru] > >> >> So, does it imply that the virus scanners check for > >> >> malicious system calls from malicious applications > >> >> in Windows ? Are there any opensource implementation > >> >> of those virus scanners that check for malicious > >> >> system calls from certain applications in Windows ? > >> | No, it means the virus scanners don't scan running processes. > >> | They scan files on hard disk and in e-mails/other network related stuff that > >> | are destined for transfer to windows based networks/machines... and then > >> | quarantine anything that matches a virus profile. > >> McAfee scans running processes. > > | Interesting. So, does McAfee also check for malicious calls from > | malicious applications ? > > | But, i think McAfee is not an opensource software.So, > | any other open source virus scanner that supports the > | feature of checking the malicious calls from malicious > | applications ? > > | Thx in advans, > | Karthik Balaguru > > Define: "malicious calls" > Just 'unreliable/tweaked calls' . There are many views for this : - In-correct parameters in the sys calls. - Certain calls could have been altered by somone as it is available openly. In such scenarios, if an application is installed on such a system and if it is dependent on the library in which the system calls have been altered, then the newly installed application might use those specific calls(library) which inturn would cause problems as it has been tweaked. I think, REMUS(Kernel module for Linux) helps in identification of the incorrect parameters, access rights by interaction with the AccessControl Database managed by the sysctl command, but not sure if it would be help in identifying whether the system calls have been tweaked. It appears that McAfee looks finds patterns in the discovered viruses, and then scans for that pattern. That is, it is dependent on the map. Eager to know if there any tool that could help in identification of the tweaked system calls ? Thx in advans, Karthik Balaguru
From: Karthik Balaguru on 16 Mar 2010 12:19
On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com... > > I think, REMUS(Kernel module for Linux) helps in identification of > the incorrect parameters, access rights by interaction with the > AccessControl Database managed by the sysctl command, > but not sure if it would be help in identifying whether the system > calls have been tweaked. > > *** > It looks for suspicious activity regarding programs using legitimate > calls in a suspicious (possibly malicious) manner. Some attack patterns > are known to use certain combinations of calls, any program using that > certain combination of calls will be suspect. The calls themselves are > not malicious. Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > *** Yeah, i do find that malicious calls have different views. From the REMUS document from the link provided by you it seems that malicious calls also include - - Illegal invocation of critical system calls that could cause hijacking of control of any privileged process. - In efficient check of the argument values of the system calls The remus homepage link was actually breaking and hence i was collecting information by searching in internet - http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf Thx for providing the link. I will check it out. Thx in advans, Karthik Balaguru |