Your browser is obsolete!

The page may not load correctly.

Anti-virus fallacies

Антивирусная неправда

Other issues in this category (39)
  • add to favourites
    Add to Bookmarks

Can Trojans feel fear?

Read: 14825 Comments: 2 Rating: 6

Monday, August 7, 2017

Malware mounts an attack, and the anti-virus destroys it and simultaneously slows down the computer. The user gets irritated and wants to get rid of the anti-virus. What if malware programs were simply afraid to get near a computer, and if they did accidentally get in, they would commit suicide instantly! This sounds incredible, but…

A sandbox is one way to thwart malware. It’s used to isolate a specific application from the system environment. For example, if a file that has no access to other system data is launched, it will automatically be provided with the resources it needs to be started but won't be able to get hold of anything else. There are many ways to implement this mechanism. For example, every new file can be launched on a separate virtual machine. This method consumes the most resources, but if malware needing analysis is involved, it is quite reasonable.

The downside is that sandboxes have certain distinguishing features. That's why anti-virus laboratories do not disclose how they operate. Otherwise, criminals could learn about their tricks and find a way to bypass automatic analysis. If a malware program knows about these features, it can detect that it has been launched in a sandbox and go into hiding.

The Trojan's installer can detect whether it is being launched under a debugger or on a virtual machine, which impedes its analysis. It also checks whether it is being run under Sandboxie.

http://news.drweb.com/show/?c=5&i=4055&lng=en

After it launch BackDoor.Tishop.122 scans the environment for the presence of a "sandbox" or virtual machine…

http://news.drweb.com/show/?c=5&i=5821&lng=en

And here’s an idea!

Emulating this same sandbox on your PC is one novel way of protecting your system from malware.

Let’s look into this. How you can make your system look like a sandbox:

  1. Replace the Mac address of the Ethernet adapter with an address within the range being used by VMware. No harm done, and malware will think it is being run on a virtual machine and shoot itself dead.

    HKLMSYSTEMCurrentControlSetControlClass{4d36e972.....}[Ethernet adapter folder]

    Add the string parameter NetworkAddress with the value 005056XXXXXX

  2. Run this script. It will copy ping.exe into TEMP, assign it a dozen different names and launch it to ping 1.1.1.1 every hour.

    Here are the processes that will appear in your system:

    "WinDbg.exe","idaq.exe","wireshark.exe", "vmacthlp.exe", "VBoxService.exe", "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", "idag.exe", "ImmunityDebugger.exe"

The processes reside in the memory but consume hardly any of it and use virtually no CPU resources. Should malware acquire the list of running processes, it will see an entire arsenal of debugging utilities that can scare even a seasoned system administrator.

http://www.securitylab.ru/blog/personal/itsec/342068.php

However, there are several drawbacks. What’s most amusing is that few Trojans ever check whether they are being run in a sandbox. They aren't afraid of anything.

The second problem is that instead of destroying itself, a Trojan can wait while it is being analysed in a sandbox and commence with its malicious activities later. Trojans for Android do that quite often—they hold off before springing into action to make sure the user doesn’t associate their malicious activities to the application the user recently installed.

And, finally, if this method becomes popular, attackers will just factor it into their work.

This kind of protection could never be referred to as reliable.

http://www.securitylab.ru/blog/personal/itsec/342068.php

#Trojan #backdoor #technologies

The Anti-virus Times recommends

Many people believe they can do without an anti-virus by isolating their computer from the Internet or shutting it down. But it appears that even a PC that has been powered down can be controlled, and a Trojan may appear on the isolated machine. You think that can't happen? Read the Anti-virus Times!

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments