From: Karthik Balaguru on 16 Mar 2010 01:41 On Mar 14, 9:28 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: "Karthik Balaguru" <karthikbalagur...(a)gmail.com> > > | On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> > > | wrote: > >> From: <spi...(a)freenet.co.uk> > >> | And verily, didst Karthik Balaguru <karthikbalagur...(a)gmail.com> hastily babble > >> thusly: >> >> >> [Perumal] >> >> >> Hi, >> >> >> Is there any way which I am tell whether an application is malicious >> >> >> or not by looking at the system calls made by the application? >> >> >> Thanks In Advance, >> >> >> Perumal >> >> >> [Marc Stan] >> >> >> If i've understood your question there exists a project called REMUS hosted >> >> >> on sourceforge; it monitors system calls made by 'dangerous' processes such >> >> >> as daemons and, accordingly with a database of 'good behaviours' >> >> >> (i.e. right parameters in syscalls ecc ecc), tells you weather a call is >> >> >> malicious or not. Unfortunately it works only with 2.4 kernel...but if you >> >> >> like you can always make a port. >> >> >> Hope helped you. >> >> >> Marc Stan >> >> >> [Karthik Balaguru] >> >> >> Coool ! Thats great :-) >> >> >> I have been looking for a similar tool but for 2.6 kernel. >> >> >> But, won't any open source virus scanner tools use this >> >> >> trick too apart from other scanning tricks to contain >> >> >> few malicious applications that make malicious calls ? >> >> >> Is it not useful for virus scanner to use this methodology ? >> >> >> Thx, >> >> >> Karthik Balaguru >> >> >> [Bill Marcum] >> >> >> Most virus scanners that run under Linux are used to scan for viruses that >> >> >> attack Windows. > >> >> [Karthik Balaguru] > >> >> So, does it imply that the virus scanners check for > >> >> malicious system calls from malicious applications > >> >> in Windows ? Are there any opensource implementation > >> >> of those virus scanners that check for malicious > >> >> system calls from certain applications in Windows ? > >> | No, it means the virus scanners don't scan running processes. > >> | They scan files on hard disk and in e-mails/other network related stuff that > >> | are destined for transfer to windows based networks/machines... and then > >> | quarantine anything that matches a virus profile. > >> McAfee scans running processes. > > | Interesting. So, does McAfee also check for malicious calls from > | malicious applications ? > > | But, i think McAfee is not an opensource software.So, > | any other open source virus scanner that supports the > | feature of checking the malicious calls from malicious > | applications ? > > | Thx in advans, > | Karthik Balaguru > > Define: "malicious calls" > Just 'unreliable/tweaked calls' . There are many views for this : - In-correct parameters in the sys calls. - Certain calls could have been altered by somone as it is available openly. In such scenarios, if an application is installed on such a system and if it is dependent on the library in which the system calls have been altered, then the newly installed application might use those specific calls(library) which inturn would cause problems as it has been tweaked. I think, REMUS(Kernel module for Linux) helps in identification of the incorrect parameters, access rights by interaction with the AccessControl Database managed by the sysctl command, but not sure if it would be help in identifying whether the system calls have been tweaked. It appears that McAfee looks finds patterns in the discovered viruses, and then scans for that pattern. That is, it is dependent on the map. Eager to know if there any tool that could help in identification of the tweaked system calls ? Thx in advans, Karthik Balaguru
From: Karthik Balaguru on 16 Mar 2010 12:19 On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com... > > I think, REMUS(Kernel module for Linux) helps in identification of > the incorrect parameters, access rights by interaction with the > AccessControl Database managed by the sysctl command, > but not sure if it would be help in identifying whether the system > calls have been tweaked. > > *** > It looks for suspicious activity regarding programs using legitimate > calls in a suspicious (possibly malicious) manner. Some attack patterns > are known to use certain combinations of calls, any program using that > certain combination of calls will be suspect. The calls themselves are > not malicious. Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > *** Yeah, i do find that malicious calls have different views. From the REMUS document from the link provided by you it seems that malicious calls also include - - Illegal invocation of critical system calls that could cause hijacking of control of any privileged process. - In efficient check of the argument values of the system calls The remus homepage link was actually breaking and hence i was collecting information by searching in internet - http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf Thx for providing the link. I will check it out. Thx in advans, Karthik Balaguru
From: FromTheRafters on 16 Mar 2010 21:46 "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> wrote in message news:b13f8cf1-84f4-4396-ab3d-2a20cb7ff775(a)g8g2000pri.googlegroups.com... On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com... > > I think, REMUS(Kernel module for Linux) helps in identification of > the incorrect parameters, access rights by interaction with the > AccessControl Database managed by the sysctl command, > but not sure if it would be help in identifying whether the system > calls have been tweaked. > > *** > It looks for suspicious activity regarding programs using legitimate > calls in a suspicious (possibly malicious) manner. Some attack > patterns > are known to use certain combinations of calls, any program using that > certain combination of calls will be suspect. The calls themselves are > not malicious. > Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > *** Yeah, i do find that malicious calls have different views. From the REMUS document from the link provided by you it seems that malicious calls also include - - Illegal invocation of critical system calls that could cause hijacking of control of any privileged process. - In efficient check of the argument values of the system calls The remus homepage link was actually breaking and hence i was collecting information by searching in internet - http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf Thx for providing the link. I will check it out. [...] *** It might be worth pondering that viruses, in particular, don't generally need to exploit software flaws. REMUS seems to be a good enhancement for the OS, but AV has (or had) a different goal. ***
From: Karthik Balaguru on 17 Mar 2010 20:51 On Mar 17, 6:46 am, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > news:b13f8cf1-84f4-4396-ab3d-2a20cb7ff775(a)g8g2000pri.googlegroups.com... > On Mar 16, 5:09 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> > wrote: > > > > > > > "Karthik Balaguru" <karthikbalagur...(a)gmail.com> wrote in message > > >news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201(a)b36g2000pri.googlegroups.com.... > > > I think, REMUS(Kernel module for Linux) helps in identification of > > the incorrect parameters, access rights by interaction with the > > AccessControl Database managed by the sysctl command, > > but not sure if it would be help in identifying whether the system > > calls have been tweaked. > > > *** > > It looks for suspicious activity regarding programs using legitimate > > calls in a suspicious (possibly malicious) manner. Some attack > > patterns > > are known to use certain combinations of calls, any program using that > > certain combination of calls will be suspect. The calls themselves are > > not malicious. > > Seehttp://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced... > > *** > > Yeah, i do find that malicious calls have different views. > > From the REMUS document from the link provided by you > it seems that malicious calls also include - > - Illegal invocation of critical system calls that could > cause hijacking of control of any privileged process. > - In efficient check of the argument values of the system calls > > The remus homepage link was actually breaking and > hence i was collecting information by searching in internet -http://cesare.dsi.uniroma1.it/Sicurezza/doc/remus.pdf > Thx for providing the link. I will check it out. > > [...] > > *** > It might be worth pondering that viruses, in particular, don't generally > need to exploit software flaws. REMUS seems to be a good enhancement for > the OS, but AV has (or had) a different goal. > *** Interesting to know that generally viruses do not exploit this flaw. Thx, Karthik Balaguru
From: FromTheRafters on 17 Mar 2010 22:02 "Karthik Balaguru" <karthikbalaguru79(a)gmail.com> wrote in message news:8c6fb9df-042a-42b4-90f0-1a69d909700b(a)h35g2000pri.googlegroups.com... On Mar 17, 6:46 am, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > *** > It might be worth pondering that viruses, in particular, don't > generally > need to exploit software flaws. REMUS seems to be a good enhancement > for > the OS, but AV has (or had) a different goal. > *** Interesting to know that generally viruses do not exploit this flaw. *** Or rather, that they don't *need* to exploit *any* flaw. REMUS helps protect the OS from privilege escalation attacks against software flaws. ***
|
Pages: 1 Prev: polynomial multiplication Next: Idiotic programming style edicts |