No, actually it was easy to see his little trick and to understand that people have been doing it for years, the problem is that a properly configured IE won't allow it to work on a properly configured system, even without a PFW.
Try it yourself.
"Volker Birk" wrote
I thought we had to change something to prove that your claim that a changed binary would not be detected is right.
It's a fact that your PoC is detected so they have to add it to the false positive list. If nobody asked them they don't do that.
you are speculating well.
ok, that's the end of that part of the discussion.
yes, they are talking about heuristics and didn't test that claim.
that's a better guess then the heuristic claim. But if your PoC signature claim is the correct solution? I doubt it.
is this PoC ( and the other two ) that important or interesting that they made a signature for it? Is it a circulating trojan/virus in the wild? It isn't named to you, is it? But there is another problem. If you look at
in that case the discussed PoC will always be detected. So you need to change more to get a different binary.
If you want to do so, yes.
Why?
Yes ;-) This is what I wanted to explain.
Really? ;-)
Yours, VB.
"Volker Birk" wrote
it's not my program. This "you have to do the compiling" has to come to an end. I quit this discussion, afterall this a firewall newsgroup. This PoC item is about security, but not firewall security :-).
hint : there is more code involved between your 1 kB source and the 27 kB binary. And yes; Avira could be to easy-going ( they were with the previous Antivir version ).
Did you notice, that Avira _documents_, that they're detecting this by signature and not by i.e. an heuristics?
Yours, VB.
"Volker Birk" wrote
I don't understand your question.
There is documentation about the fact, that my PoC code is detected because of a malware signature.
Here Avira document: "The VDF file (usually named antivir*.vdf) contains all the signatures used by AntiVir engine to detect malware."
And there are the signatures for my PoC codes in this list.
So without any doubt they created signatures for my PoC codes branding them as malware. This is why I said that this is a fact we don't need to discuss, that they're misinterpreting intentionally. If you don't want to accept this as a fact, you have to claim that the common AV providers don't know what they're doing at all.
Yours, VB.
"Volker Birk" wrote
right and wrong. Right is that your binaries has the same signature in it, but it's not said that your PoC's are responsible for the entries.
hint : an empty skeleton was already enough to trigger Antivir. Internal code didn't matter. Speaking for you : AV providers don't know what they're doing at all. In that case it looks like you were right.
to catch a thief you need to think like a thief. To write a good AV program you need to think like a viruswriter. In my opinion there are working to less viruswriters by the today's AV companies. It's a little bit to heavy to say they don't know what they are doing at all. I didn't check all the AV programs. I could agree with that Avira should know better then they do
I was hoping that other people reading this would compile it for themselves. Many Windows users will think that it's necessary to purchase a complicated GUI when really all it takes is bcc32 -W breakout-en.c at a command line after a few minor code tweaks to make the different compiler happy. My point was that they can get a well known compiler for free and compile the code themselves assuming they trust a downloaded executable compiler from Borland. This won't prove much unless someone with a particular scanner finds that the executable they produced is detected as malware. Then we'd know that at least one scanner can heuristically detect the behavior of Volker's code. This is beside the real point which is whether or not Volker's executable should be detected as malware by any means, heuristic or otherwise.
Most Windows users don't read this group or Microsoft's advice and have the default security settings in IE. They wouldn't be able to change that if their life depended on it.
The point is whether or not Volker's executable should be detected as malware by AV tools. I think this should be answerable even if Volker had never made any claims and it should also be answerable even if no-one had ever tested the PoC with your IE settings. Claims and tests do not change what the executable file attempts to do.
Ok then the following are just two of the many files which should be detected as malware but are not currently so detected by AVG.
Do you mean that if I compile it myself and a virus scanner detects it (perhaps heuristically) then I should ignore the scanner or tell it not to detect my executable?
Then you must have compiled your own executable from Volker's source, like I did, for your tests which showed that the PoC doesn't work on your system.
So it seems to me that you are saying that you don't trust Volker to make available a downloadable executable which is nothing more than a compiled version of his source code.
You could check whether or not Volker's executable is nothing more than a compiled version of his source. You must have the same compiler he used because you have everything on the market for writing code.
Jason
Yes it probably was unreasonable of me to expect you to answer those questions. I had someone else in mind at the time. Sorry about that.
Do you think that other PoCs such as the ones in my previous post (firehole and leaktest) should also be detected by AV tools? I'm not suggesting that these PoCs do get past personal firewalls or that certain IE settings don't stop them but they are still attempting to prove a concept.
Jason
The part I've quoted is the entire crux of your reply, so I'll address this part only:
The code that does what VB's POC, or any other vendors code, or any other app that does the same type of thing, should properly be detected as malware and blocked, either by the PFW, POP-UP blocker, AV software or blocked by proper security settings in IE.
It's not specific to VB, I don't care about that lunatic or his fringe supporters, as they have gone to far to one side, they've lost the "real world" experience point of view.
I think that anything you install without knowing or that installs without your permission, or that launches processes/windows without your permission should be classified as malware and as such, should be detected and blocked with notification to the user - who should have the ability to ALLOW/BLOCK/ALLOW ONCE the item.
LOL that sounds very specific to VB to me Leythos. I don't think it makes you look any better.
Jason
I don't care how it looks, facts speak for their own. The simple fact is that he suggests that his POC code proves PFW's down't work, while his POC code doesn't actually do what he says.... Sure, on some misconfigured systems, on some systems that don't have any protection, it works, but that's hardly any type of proof.
If he POC is tested and fails, then it only proves one thing - that his testing and methods are flawed and that makes the rest of his position that PFW's are worthless completely flawed.
If it's blocked, by any of the PFW solutions, then it proves that they do work and are not completely useless. His group just hangs on to the idea that because they tested something under a non-realworld setting, or a very limited scope, that their position is valid for all cases - which we all know is untrue.
Sorry I don't see what any of this has to do with whether or not Volker's executable, and the other two tools I mentioned, should be detected as malware by AV tools, either by signature or heuristic methods. This is the question I was asking. The answer can only be that they should be detected by AV tools or they should not be detected by AV tools. Which is it? Forget PFWs, popup blockers and IE settings. I would just like a yes/no answer to whether AV software should or shouldn't trigger on Volker's executable and the firehole and leaktest files I mentioned. I don't need the above rant as this must be the 100th time you've given it in this thread.
Goodnight
Jason
I've already answered your question, twice, at least, but you keep asking the question again. Please take the time read the reply and not gloss over the parts, hint, you might have to go back a couple reply posts.
[snip]
Firehole and leaktest are not currently detected as malware by AVG. Do you think they should be?
Goodnight
Jason
I've already answered your question, twice, at least, but you keep asking the question again. Please take the time read the reply and not gloss over the parts, hint, you might have to go back a couple reply posts.
Since you like AVG so much, you might want to know that AVG has one of the lowest detection rates of common AV solutions.
On Sun, 4 Jun 2006 23:49:54 +0100, Jason Edwards spoketh
Yes it should. The PoC (allegedly) proves a method that can be used to bypass security measures, thus the method itself should be considered a potential threat and detected as malware.
Lars M. Hansen
Well, the Computer "experts" still can't face the reality od the situation of that they're the goofs that drove people to develop home computers and personal firewalls.
Since the office firewalls that they develop are quite primitive, quite Excel with a tophat, and quite crap.
Yes it should or yes they should?
Note also that Volker's code demonstrates only a Windows feature. It does not attempt to do anything which would not be accepted by any Windows compiler.
Note too that my question is only asking about AV tools. I am not asking whether a PFW should flag a potential outbound connection or whether changing IE settings makes a difference. I am asking only whether AV tools should detect the program file as malware. If an AV tool should detect the program as malware then it should be able to do this before the program executes.
Jason
The PoC (allegedly) proves a method that can be used to
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.