Jump to content

School work - Programming

Greath

By Greath
in General Chat

 Share

Recommended Posts

Greath

Greath

Posted
Posted

I am about to start my senior year in high school and then we will start a project we'll keep doing throughout the year. Since I am interested in programming and viruses I thought it would be nice to make my own anti-virus software (nothing extremely advanced). What I'm wondering is if it is a reasonable goal. If there is a reasonable goal what do you think is reasonable to include in the program. I was going to write it in C + + in this case.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Greetings :)

I'm not sure if we can be of much help, but I can at least give you some basic tips. For an antivirus, its essential function requires some sort of detection database which targets infections. Unfortunately we cannot supply any malware samples, however if you're just writing a proof of concept to get you started, then you can start out by detecting the following test infections (they are not actual malware, just pieces of code created for the purpose of testing antivirus and antimalware software):

Spycar

EICAR

Modern antivirus software is pretty advanced and has many layers, components and means of detecting infections. The most basic of these is to use a hash check such as MD5.

Link to post
Share on other sites
Greath

Greath

Posted
  • Author
Posted

I like to play Devil's Advocate once in a while...

Greath, what is the high level algorithm that you would apply to detect and clean a given computer of the Parite ?

Well,Initially my idea was to, getting all the files on the computer, store them into a list and then go through the list and check the md5 sum. But is there a better way to do it maybe?

Link to post
Share on other sites
Greath

Greath

Posted
  • Author
Posted

Nope. Won't help.

Using checksums can lead to false data as they can be falsified or have "collisions" MD5 Collision Demo

All things being equal, how will that help with Parite ?

I guess I could useheuristic-based detection but i know that it's not easy to do that. I could try to implement some simple heuristic-based detection, but as i said im not going to do something really advanced.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Like I said, I am playing Devil's advocate.

What is the algorithm of said heuristic-based detection ?

Get back to my original question...

"what is the high level algorithm that you would apply to detect and clean a given computer of the Parite ?"

So what is the algorithm of that heuristic-based detection ?

I am trying to challenge you as you stated "interested in programming and viruses" so I gave you a virus. You can't create a program until you have an algorithm. That algorithm must be based upon knowledge of what this virus does and to "clean" the PC you must undo what was done so the PC is back to the pre-infected condition as best you can. That algorithm must have a series of steps to identify the effects and then eradicate the infector and all modifications it made.

So, start with an outline.

* What is the Parite ?

* What constitutes an infected file ?

* How would you detect it ?

* How would you detect modifications ?

* How would you remove said modification ?

* How would you disinfect a file ?

Once again, I have deliberately focused on one "virus" because of your initial statement "interested in programming and viruses".

Link to post
Share on other sites
Greath

Greath

Posted
  • Author
Posted

Like I said, I am playing Devil's advocate.

What is the algorithm of said heuristic-based detection ?

Get back to my original question...

"what is the high level algorithm that you would apply to detect and clean a given computer of the Parite ?"

So what is the algorithm of that heuristic-based detection ?

I am trying to challenge you as you stated "interested in programming and viruses" so I gave you a virus. You can't create a program until you have an algorithm. That algorithm must be based upon knowledge of what this virus does and to "clean" the PC you must undo what was done so the PC is back to the pre-infected condition as best you can. That algorithm must have a series of steps to identify the effects and then eradicate the infector and all modifications it made.

So, start with an outline.

* What is the Parite ?

* What constitutes an infected file ?

* How would you detect it ?

* How would you detect modifications ?

* How would you remove said modification ?

* How would you disinfect a file ?

Once again, I have deliberately focused on one "virus" because of your initial statement "interested in programming and viruses".

I looked up a little bit more information about the Parite virus and came up with this.

Name: Win32/Parite

Infects:

EXE and SCR files

Locations:

\AppData\Local\Temp\

Registers:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF

Filename:

[3 letters][4 hex characters].tmp

Win32/Parite:

There are two infections involved in this, Parite.A and Parite.B. Parite.A drops a new file into the Windows temporary directory. The name of the dropped DLL file consists of [3 alphabetic letters and 4 hex characters].tmp(though it is actually a dll file). After that it modifies the registry to point to itself (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF). Parite.B then infects the Explorer.exe process. When that is done it starts to infect other Exe and Src files with Parite.A.

Algorithm:

So this is what i know about the parite infection so far. If i would want to detect this infection i would make an algorithm that checks for the register key(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF). If this key is availible it checks the explorer.exe size or whether it has been changed. It would also be a good idea to check the Windows temporary directory for files with a name similar to [3 letters][4 hex char].tmp.

So to remove the infection, I would need to delete the register key, restore Explorer.exe and delete all the tmp files it created. The hard part would be to find all the infected exe and src files.

Since im not an expert im not sure if this would work. Im just used the information i had about the infection and tried to solve the different problems that arise.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

That's better, but not sufficient.

You see you chose viruses and while that is a terminology that is common, Today viruses are uncommon. They exist in the wild but not to the degree that they used to exist. The problem is the misperception that all malware are viruses. Read the numerous complaints here in the Malwarebytes Forums and you'll see everyone who is infected with something calls that something a "virus". They have a "redirecting virus", the "FBI money pak virus", "Yontoo virus", etc, etc...

So before you really can tackle such a project, one must really understand about malware. Malware is the overarching concept of all Malicious Software with viruses, trojans and exploit code being three major sub-types of malware. You can call the study of malware sub-types as malware taxonomy.

The thing to know is a Parite is a file infecting virus. The first thing it is going to do is load itself into memory. Through a "signature" of this infector in memory you would have to read the RAM contents and search to see if it is indeed resident in memory and then kill the process or remove that memory segment or somehow neutralize it. As a file infecting virus it will seek out and inject malicious code into 1legitimate files. Therefore you have to use some signature of the Parite and scan all executable files and seek within the binary for said signature. If found you would then apply a routine to disinfect the file, that is remove the malicious code and return the binary to its pre-infected state (and not corrupt the file and its functionality). You would recursively seek all files and perform this scan function and a run a possible clean routine on any/all files found to be infected. Then you would seek out behavioural aspects and remediate them., etc.

1. So the first thing is to know what the exact code of the Parite that is injected into a file and have a signature for it. That is a set of fingerprints of the Parite malicious code that can be found in an infected file and ONLY found in files infected by the Parite.

2. Create a database of signatures. One or multiple representing each infector to be targeted.

2a. Create a Search_DB_Function() to find the "signature(s)" in the database

2b. Create a Compare_DB_Function() to compare the file's aspects to the database of signatures

3. Create a universal Mem_Scan_Function() to determine if the infector is in RAM.

4. Create a universal File_Scan_Function() to determine if the infector is found in disk files.

5. Create a Mem_Clean_Function() to remove or neutralize the infector's malicious code in RAM.

6. Create a File_Clean_Function() to remove and return to original state malicious code injected into files

7. Create a Behaviour_clean_Function() which seeks out the modifications made by the malware and return those segments modified to their original states.

Now you can see how a "program" can be coded. First you would have to come up with some form of Pseudo Code that lays out a high level flow of the program and what is to be performed, find the malware, remove the malware, fix modifications, perform checks, balances and verifications, etc.

When I started, almost 25 years ago, I came across the "Jerusalem.B" virus which is like the Parite in that it was a "File Infecting Virus". Back then malware was created for "Bragging Rights" and to show off. Today's malware arena is nothing like it was then. Now its all about the money and viruses have become marginalized and have but a small sector of the malware arena. Today the trojan is the malware infector that dominates and Exploit code is used to effectuate that infection. My replies have been specifically made in reaction to your statement "interested in programming and viruses" knowing that more likely than not, you have made that statement from the grave misperception that all malicious software are viruses. It is a class of complex malware that is not easily mitigated, It is not an easy task to remove malicious code and return a binary to its original state without corrupting it. Another complex area of the malware arena is cryptovirology. That is using malicious code in some way to encrypt data and make it useless to the data owner. Often the objective is to hold the data for ransom until a payment is made and the files can be decrypted.

I applaud your lofty goal to write an anti malware program (I specifically mean MALWARE and not VIRUS) and give you Kudos for the idea at an age where you are a senior in High School.

However... You must come to the realization that to write software to mitigate malware in its varying forms, you must first understand the world of malicious software. Once you have a strong insight into this arena programming a mitigation software will come much easier.

--

1. This is why the MD5 checksums won't help. Assuming that one has a legitimate file with MD5 checksum X and it is now infected, the file will have a new checksum value. Assuming it is a file infecting virus the objective is to remove the injected code and return it to its original checksum X and it must work as it was intended to work by its author. Returning the cleaned file to its original MD5 value is the goal and its NOT easy and most vendors may return the binary to its original working state but may fail to bring it back to its original checksum value.

Link to post
Share on other sites
Greath

Greath

Posted
  • Author
Posted

Thanks a lot for all the information, it gave me a lot to think about. I guess i have to spend the summer holidays researching malware and then when i have some more knowledge about the subject i can start to think about creating a software. :D

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Greath:

Its been a pleasure discussing this subject matter with you 'cause of your age and interest. The anti malware industry is dealing with a tough adversary (I group them together and personify the multitudes as "adversary" when its really much more complex than the singularity "adversary" implies) and its good when someone wants to learn and deal with the problem at an early age. You are the "next generation" and we look to pass on knowledge to those who show fortitude and fight the good fight.

Please keep asking questions... and keep in touch.

PS: Thanx guys...

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

A day late and a shekel short, I'll add my "me, too" sentiments to those already expressed!

As we say, DHL "has forgotten more about this than I'll ever know".

(That's a compliment, of course.)

To be sure, there is ALWAYS so much to be learned here (from all of you).

daledoc1

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.