[Perumal]
Hi,
Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal

[Marc Stan]
If i've understood your question there exists a project called REMUS hosted
on sourceforge; it monitors system calls made by 'dangerous' processes such
as daemons and, accordingly with a database of 'good behaviours'
(i.e. right parameters in syscalls ecc ecc), tells you weather a call is
malicious or not. Unfortunately it works only with 2.4 kernel...but if you
like you can always make a port.
Hope helped you.
Marc Stan

[Karthik Balaguru]
Coool ! Thats great :-)
I have been looking for a similar tool but for 2.6 kernel.
But, won't any open source virus scanner tools use this
trick too apart from other scanning tricks to contain
few malicious applications that make malicious calls ?
Is it not useful for virus scanner to use this methodology ?

Thx,
Karthik Balaguru

[Bill Marcum]
Most virus scanners that run under Linux are used to scan for viruses that
attack Windows.


[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

PS :
(FYI - The original discussion origin is in linux security
incase you want even more info of the thread. )
For this discussion, I have looped in the virus,
vista security & linux setup too and hence i have
added the names against the respective posts so
that they could also share their thoughts.

Thx in advans,
Karthik Balaguru

"Karthik Balaguru" wrote in message
...
[Perumal]
Hi,
Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

[...]

Not definitively, but as part of a heuristic approach it has some merit.

[Marc Stan]
If i've understood your question there exists a project called REMUS
hosted
on sourceforge; it monitors system calls made by 'dangerous' processes
such
as daemons and, accordingly with a database of 'good behaviours'
(i.e. right parameters in syscalls ecc ecc), tells you weather a call
is
malicious or not. Unfortunately it works only with 2.4 kernel...but if
you
like you can always make a port.

[...]

....of course, the beast has to be running in order to have "behavior".

[Karthik Balaguru]
Coool ! Thats great :-)
I have been looking for a similar tool but for 2.6 kernel.
But, won't any open source virus scanner tools use this
trick too apart from other scanning tricks to contain
few malicious applications that make malicious calls ?
Is it not useful for virus scanner to use this methodology ?

It is important for virus scanners to have affect *before* the beast has
a chance to run - running, it is often too late to avoid damage. They do
use "emulation" and do use heuristics sometimes to accomplish this.

[Bill Marcum]
Most virus scanners that run under Linux are used to scan for viruses
that
attack Windows.

Most virus scanners detect viruses, most viruses attack Windows - would
you have it any other way?

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

I'm having trouble understanding what a "malicious call" is - nothing
exists in a vacuum.

And verily, didst Karthik Balaguru hastily babble thusly:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

No, it means the virus scanners don't scan running processes.
They scan files on hard disk and in e-mails/other network related stuff that
are destined for transfer to windows based networks/machines... and then
quarantine anything that matches a virus profile.

--
| | "I'm alive!!! I can touch! I can taste! |
| Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel and |
| in | get out the puncture repair kit!" |
| Computer Science | Arnold Judas Rimmer- Red Dwarf |

From:

| And verily, didst Karthik Balaguru hastily babble thusly:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Mar 14, 6:08*am, "David H. Lipman"
wrote:
From:

| And verily, didst Karthik Balaguru hastily babble thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Thx in advans,
Karthik Balaguru

From: "Karthik Balaguru"

| On Mar 14, 6:08 am, "David H. Lipman"
| wrote:
From:

| And verily, didst Karthik Balaguru hastily babble
thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


| Interesting. So, does McAfee also check for malicious calls from
| malicious applications ?

| But, i think McAfee is not an opensource software.So,
| any other open source virus scanner that supports the
| feature of checking the malicious calls from malicious
| applications ?

| Thx in advans,
| Karthik Balaguru


Define: "malicious calls"

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On 03/14/2010 09:57 AM, Karthik Balaguru wrote:
On Mar 14, 6:08 am, "David H.
wrote:

| And verily, didst Karthik hastily babble thusly:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?
| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.

Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Last I heard, McAfee looks at discovered viruses, finds patterns in them and
then scans for that pattern. This works as once a new nasty exploit is
discovered it spreads with minor changes around the core exploit like which IP
to go to for instructions.

I have not heard of anyone being able to predetermine what to scan for in
applications as something one does not want. Were that the case, all
formatting programs are trojans and all updating software are making
unauthorized calls to MS or yum repositories.

--
Before the Gaza massacre Israel was given the benefit of the doubt.
With Gaza Israel removed all doubt.
-- The Iron Webmaster, 4237
http://www.giwersworld.org/antisem/ Antisemitism a10
Mon Mar 15 02:37:47 EDT 2010

"Karthik Balaguru" wrote in message
...
On Mar 14, 6:08 am, "David H. Lipman"
wrote:
From:

| And verily, didst Karthik Balaguru
hastily babble thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related
stuff that
| are destined for transfer to windows based networks/machines... and
then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Readers of this thread might also find this interesting:
http://vx.netlux.org/lib/afc08.html

On Mar 14, 9:28*pm, "David H. Lipman"
wrote:
From: "Karthik Balaguru"

| On Mar 14, 6:08 am, "David H. Lipman"

| wrote:
From:
| And verily, didst Karthik Balaguru hastily babble
thusly:

[Perumal]
Hi,
Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal


[Marc Stan]
If i've understood your question there exists a project called REMUS hosted
on sourceforge; it monitors system calls made by 'dangerous' processes such
as daemons and, accordingly with a database of 'good behaviours'
(i.e. right parameters in syscalls ecc ecc), tells you weather a call is
malicious or not. Unfortunately it works only with 2.4 kernel...but if you
like you can always make a port.
Hope helped you.
Marc Stan


[Karthik Balaguru]
Coool ! Thats great :-)
I have been looking for a similar tool but for 2.6 kernel.
But, won't any open source virus scanner tools use this
trick too apart from other scanning tricks to contain
few malicious applications that make malicious calls ?
Is it not useful for virus scanner to use this methodology ?


Thx,
Karthik Balaguru


[Bill Marcum]
Most virus scanners that run under Linux are used to scan for viruses that
attack Windows.

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?
| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.
McAfee scans running processes.

| Interesting. So, does McAfee also check for malicious calls from
| malicious applications ?

| But, i think McAfee is not an opensource software.So,
| any other open source virus scanner that supports the
| feature of checking the malicious calls from malicious
| applications ?

| Thx in advans,
| Karthik Balaguru

Define: *"malicious calls"


Just 'unreliable/tweaked calls' .

There are many views for this :
- In-correct parameters in the sys calls.
- Certain calls could have been altered by somone as it is
available openly. In such scenarios, if an application is installed on
such a system and if it is dependent on the library in which the
system calls have been altered, then the newly installed application
might use those specific calls(library) which inturn would cause
problems as it has been tweaked.

I think, REMUS(Kernel module for Linux) helps in identification of
the incorrect parameters, access rights by interaction with the
AccessControl Database managed by the sysctl command,
but not sure if it would be help in identifying whether the system
calls
have been tweaked.

It appears that McAfee looks finds patterns in the discovered viruses,
and then scans for that pattern. That is, it is dependent on the map.

Eager to know if there any tool that could help in identification
of the tweaked system calls ?

Thx in advans,
Karthik Balaguru

"Karthik Balaguru" wrote in message
...

I think, REMUS(Kernel module for Linux) helps in identification of
the incorrect parameters, access rights by interaction with the
AccessControl Database managed by the sysctl command,
but not sure if it would be help in identifying whether the system
calls have been tweaked.

***
It looks for suspicious activity regarding programs using legitimate
calls in a suspicious (possibly malicious) manner. Some attack patterns
are known to use certain combinations of calls, any program using that
certain combination of calls will be suspect. The calls themselves are
not malicious. See
http://www.pdf-tube.com/download/ebo...y9yZW11cy5wZGY
***