Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
System Calls
[Perumal]
Hi, Is there any way which I am tell whether an application is malicious or not by looking at the system calls made by the application? Thanks In Advance, Perumal [Marc Stan] If i've understood your question there exists a project called REMUS hosted on sourceforge; it monitors system calls made by 'dangerous' processes such as daemons and, accordingly with a database of 'good behaviours' (i.e. right parameters in syscalls ecc ecc), tells you weather a call is malicious or not. Unfortunately it works only with 2.4 kernel...but if you like you can always make a port. Hope helped you. Marc Stan [Karthik Balaguru] Coool ! Thats great :-) I have been looking for a similar tool but for 2.6 kernel. But, won't any open source virus scanner tools use this trick too apart from other scanning tricks to contain few malicious applications that make malicious calls ? Is it not useful for virus scanner to use this methodology ? Thx, Karthik Balaguru [Bill Marcum] Most virus scanners that run under Linux are used to scan for viruses that attack Windows. [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? PS : (FYI - The original discussion origin is in linux security incase you want even more info of the thread. ) For this discussion, I have looped in the virus, vista security & linux setup too and hence i have added the names against the respective posts so that they could also share their thoughts. Thx in advans, Karthik Balaguru |
|
|||
System Calls
"Karthik Balaguru" wrote in message
... [Perumal] Hi, Is there any way which I am tell whether an application is malicious or not by looking at the system calls made by the application? [...] Not definitively, but as part of a heuristic approach it has some merit. [Marc Stan] If i've understood your question there exists a project called REMUS hosted on sourceforge; it monitors system calls made by 'dangerous' processes such as daemons and, accordingly with a database of 'good behaviours' (i.e. right parameters in syscalls ecc ecc), tells you weather a call is malicious or not. Unfortunately it works only with 2.4 kernel...but if you like you can always make a port. [...] ....of course, the beast has to be running in order to have "behavior". [Karthik Balaguru] Coool ! Thats great :-) I have been looking for a similar tool but for 2.6 kernel. But, won't any open source virus scanner tools use this trick too apart from other scanning tricks to contain few malicious applications that make malicious calls ? Is it not useful for virus scanner to use this methodology ? It is important for virus scanners to have affect *before* the beast has a chance to run - running, it is often too late to avoid damage. They do use "emulation" and do use heuristics sometimes to accomplish this. [Bill Marcum] Most virus scanners that run under Linux are used to scan for viruses that attack Windows. Most virus scanners detect viruses, most viruses attack Windows - would you have it any other way? [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? I'm having trouble understanding what a "malicious call" is - nothing exists in a vacuum. |
|
|||
System Calls
And verily, didst Karthik Balaguru hastily babble thusly:
[Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? No, it means the virus scanners don't scan running processes. They scan files on hard disk and in e-mails/other network related stuff that are destined for transfer to windows based networks/machines... and then quarantine anything that matches a virus profile. -- | | "I'm alive!!! I can touch! I can taste! | | Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel and | | in | get out the puncture repair kit!" | | Computer Science | Arnold Judas Rimmer- Red Dwarf | |
|
|||
System Calls
From:
| And verily, didst Karthik Balaguru hastily babble thusly: [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
|||
System Calls
On Mar 14, 6:08*am, "David H. Lipman"
wrote: From: | And verily, didst Karthik Balaguru hastily babble thusly: [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. Interesting. So, does McAfee also check for malicious calls from malicious applications ? But, i think McAfee is not an opensource software.So, any other open source virus scanner that supports the feature of checking the malicious calls from malicious applications ? Thx in advans, Karthik Balaguru |
|
|||
System Calls
From: "Karthik Balaguru"
| On Mar 14, 6:08 am, "David H. Lipman" | wrote: From: | And verily, didst Karthik Balaguru hastily babble thusly: [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. | Interesting. So, does McAfee also check for malicious calls from | malicious applications ? | But, i think McAfee is not an opensource software.So, | any other open source virus scanner that supports the | feature of checking the malicious calls from malicious | applications ? | Thx in advans, | Karthik Balaguru Define: "malicious calls" -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
|||
System Calls
On 03/14/2010 09:57 AM, Karthik Balaguru wrote:
On Mar 14, 6:08 am, "David H. wrote: | And verily, didst Karthik hastily babble thusly: [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. Interesting. So, does McAfee also check for malicious calls from malicious applications ? But, i think McAfee is not an opensource software.So, any other open source virus scanner that supports the feature of checking the malicious calls from malicious applications ? Last I heard, McAfee looks at discovered viruses, finds patterns in them and then scans for that pattern. This works as once a new nasty exploit is discovered it spreads with minor changes around the core exploit like which IP to go to for instructions. I have not heard of anyone being able to predetermine what to scan for in applications as something one does not want. Were that the case, all formatting programs are trojans and all updating software are making unauthorized calls to MS or yum repositories. -- Before the Gaza massacre Israel was given the benefit of the doubt. With Gaza Israel removed all doubt. -- The Iron Webmaster, 4237 http://www.giwersworld.org/antisem/ Antisemitism a10 Mon Mar 15 02:37:47 EDT 2010 |
|
|||
System Calls
"Karthik Balaguru" wrote in message
... On Mar 14, 6:08 am, "David H. Lipman" wrote: From: | And verily, didst Karthik Balaguru hastily babble thusly: [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. Interesting. So, does McAfee also check for malicious calls from malicious applications ? But, i think McAfee is not an opensource software.So, any other open source virus scanner that supports the feature of checking the malicious calls from malicious applications ? Readers of this thread might also find this interesting: http://vx.netlux.org/lib/afc08.html |
|
|||
System Calls
On Mar 14, 9:28*pm, "David H. Lipman"
wrote: From: "Karthik Balaguru" | On Mar 14, 6:08 am, "David H. Lipman" | wrote: From: | And verily, didst Karthik Balaguru hastily babble thusly: [Perumal] Hi, Is there any way which I am tell whether an application is malicious or not by looking at the system calls made by the application? Thanks In Advance, Perumal [Marc Stan] If i've understood your question there exists a project called REMUS hosted on sourceforge; it monitors system calls made by 'dangerous' processes such as daemons and, accordingly with a database of 'good behaviours' (i.e. right parameters in syscalls ecc ecc), tells you weather a call is malicious or not. Unfortunately it works only with 2.4 kernel...but if you like you can always make a port. Hope helped you. Marc Stan [Karthik Balaguru] Coool ! Thats great :-) I have been looking for a similar tool but for 2.6 kernel. But, won't any open source virus scanner tools use this trick too apart from other scanning tricks to contain few malicious applications that make malicious calls ? Is it not useful for virus scanner to use this methodology ? Thx, Karthik Balaguru [Bill Marcum] Most virus scanners that run under Linux are used to scan for viruses that attack Windows. [Karthik Balaguru] So, does it imply that the virus scanners check for malicious system calls from malicious applications in Windows ? Are there any opensource implementation of those virus scanners that check for malicious system calls from certain applications in Windows ? | No, it means the virus scanners don't scan running processes. | They scan files on hard disk and in e-mails/other network related stuff that | are destined for transfer to windows based networks/machines... and then | quarantine anything that matches a virus profile. McAfee scans running processes. | Interesting. So, does McAfee also check for malicious calls from | malicious applications ? | But, i think McAfee is not an opensource software.So, | any other open source virus scanner that supports the | feature of checking the malicious calls from malicious | applications ? | Thx in advans, | Karthik Balaguru Define: *"malicious calls" Just 'unreliable/tweaked calls' . There are many views for this : - In-correct parameters in the sys calls. - Certain calls could have been altered by somone as it is available openly. In such scenarios, if an application is installed on such a system and if it is dependent on the library in which the system calls have been altered, then the newly installed application might use those specific calls(library) which inturn would cause problems as it has been tweaked. I think, REMUS(Kernel module for Linux) helps in identification of the incorrect parameters, access rights by interaction with the AccessControl Database managed by the sysctl command, but not sure if it would be help in identifying whether the system calls have been tweaked. It appears that McAfee looks finds patterns in the discovered viruses, and then scans for that pattern. That is, it is dependent on the map. Eager to know if there any tool that could help in identification of the tweaked system calls ? Thx in advans, Karthik Balaguru |
|
|||
System Calls
"Karthik Balaguru" wrote in message
... I think, REMUS(Kernel module for Linux) helps in identification of the incorrect parameters, access rights by interaction with the AccessControl Database managed by the sysctl command, but not sure if it would be help in identifying whether the system calls have been tweaked. *** It looks for suspicious activity regarding programs using legitimate calls in a suspicious (possibly malicious) manner. Some attack patterns are known to use certain combinations of calls, any program using that certain combination of calls will be suspect. The calls themselves are not malicious. See http://www.pdf-tube.com/download/ebo...y9yZW11cy5wZGY *** |
|
Thread Tools | |
Display Modes | |
|
|