Monthly Archives: May 2010
Malicious code, types and trends–part 2
Trojans These days, we can see a dramatic upsurge computers infections with trojans, they are the preffered tools for hackers. As in the old legend with the Trojan Horse, this type of malware masquerades as a useful program or is hidden(binded) in a useful program, tricking the user to execute it, “as it is” or together with the program that carry it. A Trojan horse neither replicates nor copies itself, but the damages it brings to the computer are huge. Once installed in a system, it gives to the hacker the ability to download or upload and execute other malware in the compromised system, or ability to steal passwords, other …
Malicious code, types and trends–part 1
– Computer viruses are parasitic programs which are able to replicate themselves, attach themselves to other executables in the computer, and perform some unwanted and often malicious actions. A virus is not able to spread itself to another computers, some user actions are needed for it to infect a new computer. Downloading and running software from untrusted sources, inserting an USB drive without a previous scan–remember always disable the AutoRun feature for the drives as CD-ROMs, DVD-ROMs– , downloading and running emails or IM attachments even from known persons, can put you in the nasty situation to have an infected computer. Always when you deal with these situations and to …
A new attack method–Kernel HOok Bypassing Engine ?
Almost all of the AntiViruses uses for their operations kernel mode drivers, more specifically modify the SSDTs. SSDT stands for System Service Descriptor Table and contain addresses of routines (known as system services) that user mode code can invoke indirectly as a result of the special system call instruction. Controlling the SSDTs, results in controlling every transition from User Mode to Kernel Mode, and this is why they are preffered by AntiViruses for real time protection or self-defense operations . By modifying the adresses stored in the tables to point to their own routines called “hook functions” , the AntiViruses are able to perform various checks on calls made by …
Simple check of a suspicious file
A friend of mine send me a RAR archive containing an executable and a “crack’, telling me his antivirus gives him an alert when he tried to run the “crack”. He downloaded the file from a link posted on a blog, the file was hosted on a file sharing site and the question was if the antivirus alert is because of the name “crack” so if it’s a “false positive”. For who does not know, a “crack” is a small executable which is able to modify an applications executable to act like a registered (licensed) program and a “false positive” is a false virus alert of the antivirus. I’ve used …