Emulating virus-like behaviour? - antivirus

I'm looking for a way to emulate virus-like behaviour for testing exclusions in anti-virus software. Can anyone recommend some behaviour that I can put together in a quick script which would trigger a typical realtime anti-virus scanner?

Are you looking for something like the Eicar test file?
If you want to hand-code virus-like behaviour, I can tell you that I've had trouble with anti-virus applications and the LowLevelKeyboardProc() and SetWindowsHookEx() functions. If the anti-virus application uses heuristics, it usually warns about keylogger-like actions.

Most antivirus programs work on a signature database, not heuristic detection, so most of them won't notice anything at all unless you write a program with the same signature as one that they're looking for.
If you do have a heuristic-based detection program, just try some obvious virus behavior like modifying settings that control which programs launch at startup, checking processes for common antivirus program names, etc. You may be able to look up documentation for your specific program and find out exactly which heuristics it uses to try and detect viruses based on behavior. It'll be pretty hard to find much of use by just firing off "a virus might do something like this" behaviors blindly.

Back in 2000 there was the ILOVEYOU virus (love bug) which was just a VBScript that overwrote files on the infected machine with copies of itself and emailed itself out through Outlook. The Outlook hole has been fixed but the part about copying itself over all files of a specific extension is a good heuristic to try and copy.

Here's an interesting article on behavior based detection, it's old but it sounds like that might be what you are looking to do.
http://www.securityfocus.com/infocus/1557
Also you may want to take a look at SARC (Symantec Antivirus Research Center). If you look into some of the latest threats, the technical details and removal instructions clue you in on what they do when infecting the system.
Here's an example:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-050707-0639-99

Related

Which Roblox/LUAU classes can have malware/scripts hidden inside?

Which Roblox/LUAU classes can have malware/scripts hidden inside? Which classes will still be executed as a script? Which classes cannot contain a malicious script? Audio?
Since the complaint has been made that it's not clear what I'm asking, I've added emphasis above and put the title in there, too.
Ok, so I'm trying to learn how to detect and remove malware from things in the Roblox Studio Toolbox. That is a tall order, since I'm still learning LUAU and there are many ways to conceal malware, including obfuscation techniques (spacing, reversed strings, reversed ascii strings, getfenv(), hidden teleports, nested scripts, scripts that were reclassified to something else, like a weld, etc.).
Reclassified malware is the thing I have the most trouble with, although long scripts and scripts split into different files can be a pain, too. I do things by trial and error, like in the case of the Sakura Tree model by TreelingDeveloper (rbxassetid://6787294322). I stripped it of everything except the Trunk and Mesh, Falling Leaves and Particle Emitter, and Leaves and Mesh, and it is still similar, despite removing a couple dozen pieces, including two scripts that were nested inside several welds and claimed to weld the bark on.
Edit: I rechecked the Sakura tree after posting. Deleting all those parts reduced its visual appeal, although not completely. There were a lot of "Bark," "Other" and "Welds" that I deleted, and even the ThumbnailCamera. As it turns out, keeping all of the "Bark" and "Others" adds additional details to the trunk. I can't see a use for the ThumbnailCamera or the welds and "auto-weld" scripts.
It's not terribly hard to use CTRL-SHIFT-F to search for words like "getfenv," "string.reverse," "require," "eriuqer," and "teleport" but it is beyond my level of ability to find everything.
If you have any suggestions or tips on the question or the larger issues of malware in Roblox assets, I'd love to hear about it. Thanks!
Antimalware Plug-ins
Thus far, I have reviewed several (~10) plug-ins for detecting malware. None of them have seem to have behavioral or real-time detection. They all seem to use simplistic heuristic detection, often relying on common words and phrases associated with known malware, as well as certain LUAU commands and obfuscation techniques. Those that I thought were worth using, as inadequate as they were, are GameGuard, Guardian Angel Defender, Mirror Egg and Ro-Protect. Unfortunately, they get a fair number of false positives (Mirror Egg, for example, suggests that anything with the name "Fire," including fire effects I added, may be malware). GAD has the best UI and seems to find more than anything else, but it also finds a lot of "empty objects" that I'm not sure what to make of. None of them are real-time, and none are good enough on their own.
Explanation
I'm not artistic, so it really isn't possible for me to develop my own models, meshes and such, and I think people who say those who use the toolbox are lazy and get what they deserve are apparently unaware that not everyone is a master craftsman when it comes to CG.
Roblox Studio's Toolbox is jam-packed with assets, which is great, except many of them contain malware.
Beyond this point is mostly a rant. Feel free to ignore, unless you're going to tell me to contact Roblox Customer Service or go to the Roblox DevForum.
You may ask why I don't post this on the DevForum. I've been there since April and, despite 7 hours of reading and over 1k likes, I still have not become a "regular". I asked customer service about this, but they gave me the run-around, referring me back to the rules to become a regular (which are deliberately vague) and generally being eager to get rid of me as fast as possible without actually helping.
You may ask why I didn't ask Roblox for help.
Having asked both the Appeals team (which had given me a 3-day IP ban and permanently suspended my unlisted, >private< game that is still in development because, they stated, I'd added an "inappropriate model" from the toolbox - a model that I didn't modify, and then rejected my appeal without any valid reason) and Customer Service, which gave me the run-around and did their very best not to help me, and to get rid of me as rapidly as possible, I'm trying to learn how to protect myself. In short, Roblox apparently refuses to take any real steps to deal with the plethora of malware, and help pages DO NOTHING to teach developers how to find malware. I've learned more on my own - which isn't nearly enough.
If I sound irritated, it's because I am. They have some of the worst customer support I've ever encountered in the 36 years of my adult life, and I've got many years of experience in that field, including tech support.
The Roblox tutorial pages have this to say when it introduces the toolbox:
> Anyone can upload an item to the Toolbox, so make sure your game still works after adding an item before settling on it. To learn how to inspect a model before inserting it, see [Item Inspection][1].
The linked page is woefully inadequate, and the page that Customer Support referred me to is, too. [What Is This Infected Model On My Place? help article.][2]
[1]: https://developer.roblox.com/en-us/resources/studio/Toolbox#item-inspection
[2]: https://en.help.roblox.com/hc/articles/203312920
When it comes to things that can execute code, the answer is Scripts and LocalScripts.
Some things to know, Scripts are only active in a few locations. According to the docs :
The instant that the following conditions are met, a Script’s Lua code is run in a new thread:
Disabled property is false
The Script object is a descendant of the Workspace or
ServerScriptService
Similarly for LocalScripts :
A LocalScript will only run Lua code if it is a descendant of one of the following objects:
A Player’s Backpack, such as a child of a Tool
A Player’s character model
A Player’s PlayerGui
A Player’s PlayerScripts.
The ReplicatedFirst service
This doesn't apply for Edit Mode, just when you are testing it in Play Mode.
The thing is, a Script instance can be inserted into the hierarchy of anything. Audio, Meshes, Decals, etc. none of these things execute code on their own, but they are often Trojan Horses for delivering Scripts into the Workspace. And because the Toolbox inserts things into the Workspace by default, it creates the avenue for exploits that you're describing in your question.
This is why I recommended the Venom plugin by pa00, because it allows you to strip out any and all Scripts that might come with an asset. It is an easy counter measure for when you are only looking for simple things. This suggestion falls apart once you start looking for more complicated assets like vehicles, Tools, and guns, where interactions have to be scripted, but it's a starting point.

Built-in scripting language available on all major operating systems?

Does anyone know of a scripting language that's included with most platforms (say Mac/Windows/Linux)? I haven't been able to find one. So far javascript in web browsers or compiled java are about it. Jython comes close.
My goal is to be able to download a file from the web or portable storage and just run it, without having to install something first, or have special user permissions, or edit it, or rename it, or give it executable privilages. It would give you access to generally accepted metaphors in computing: input, output, persistent storage, time, spawning tasks, sockets, fixed and floating point math, unicode, etc. Ideally it would abstract away minutia like line endings, endianness, and yielding for other processes.
I don't want to get into why having a universal language/virtual machine is important, or at the very least, useful. I feel that we are missing a middleware above the operating system level, something like POSIX but less esoteric, and without it, we all are forced to spend a disproportionate amount of time reinventing the wheel or writing special cases. For me, availability and a complete feature set are more important than speed (which could come later).
Thanks in advance for any insights you can provide,
Zack Morris
You will be able to run carefully written sh scripts on almost all unix systems.
If you want to add Microsoft systems, then it is more difficult, but still possible to provide a single script file, that will "autodetect" the interpreter it's running on and select between a sh part and a command.com or whatever they have on Microsoft systems.
Once you can run a script on a known system you can further download or unpack and install automatically whatever software you need.

How can I hide Perl code?

I've written some Perl programs and am planning on distributing them. They're part of a large binary distribution (mostly compiled C/C++). If possible, I'd prefer to give up as little as possible (I'm responsible for delivering working software, not delivering clever algorithms). What is my best bet for hiding the Perl code so that if someone really wants to see the source, they'd have to put a bit more effort than in than simply opening the file in an editor?
You could encrypt your code and then at run time decrypt it and send it to perl stdin. (of course the decryptor would not be encrypted).
I got some minify/compile answers to my question How can I compile my Perl script so to reduce startup time?
Acme::Bleach
Filter::Crypto (potentially via PAR::Filter::Crypto) is clearly the most advanced open source tool for this job (barring perlcc which doesn't work well for many things, YMMV).
If all you want is hide the code from casual tinkerers, that's more than sufficient. Hiding it from determined and/or capable people is practically impossible.
It won't make it harder to just open the files but an obfuscator can make it more difficult to understand and modify your code. Have a look here or here for a start.

Any good library or software for queue networks simulation?

I have been trying to make work EZSIM with no luck, which is a software to build discrete event simulators in a graphical DOS environment. In this software, my simulator and many others (of the other people in the course I'm taking) don't work, but teacher's simulator (and examples of the downloaded files) does work.
So, I began to distrust of the software.
Do you know any software that resolves the same kind of problems but really works? It will be good if it is free, or I can download an evaluation copy or something like that.
If you don't know any software, do you know any library which might work? Preferably in C#, Ansi C, Java or Delphi.
This may be more than what you're looking for, but check out NS2. It's the standard for open source network simulations, and will allow you to simulate all kinds of network layer behavior.
I've also used JUNG in the past. It's very flexible, although it also doesn't offer much out of the box.
I used Möbius in my computer systems analysis class. It is free for educational use (which sounds like what you're doing). It's a Java GUI which generates C++ code.
The R package queuecomputer. queuecomputer is a computationally efficient method for simulating queues with arbitrary arrival and service times. There is a submitted paper on arXiv describing the algorithm used in the package. Examples can be found within the arXiv paper and the vignette. A web app based on the package is available at https://ace-ebert.shinyapps.io/queue_simulator_mmk/ .

Is there a good obfuscater for Perl code?

Does anyone know of a good code obsfucator for Perl? I'm being ask to look into the option of obsfucating code before releasing it to a client. I know obsfucated code can still be reverse engineered, but that's not our main concern.
Some clients are making small changes to the source code that we give them and it's giving us nightmares when something goes wrong and we have to fix it, or when we release a patch that doesn't work with what they've changed. So the intention is just to make it so that it's difficult for them to make their own changes to the code(they're not supposed to be doing that anyway).
I've been down this road before and it's an absolute nightmare when you have to work on "obfuscated" code because it drives up costs tremendously trying to debug a problem on the client's server when you, the developer, can't read the code. You wind up with "deobfuscators", copying the "real code" to the client's server or any of a number of other issues which just become a real hassle to maintain.
I understand where you're coming from, but it sounds like management has a problem and they're looking to you to implement a chosen solution rather than figuring out what the correct solution is.
In this case, it sounds like it's really a licensing or contractual issue. Let 'em have the code open source, but make it a part of the license that any changes they submit have to come back to you and be approved. When you push out patches, check the md5 sums of all code and if it doesn't match what's expected, they're in license violation and will be charged accordingly (and it should be a far, far higher rate). (I remember one company which let us have the code open source, but made it clear that if we changed anything, we've "bought" the code for $25,000 and they were no longer responsible for any bug fixes or upgrades unless we bought a new license).
Don't. Just don't.
Write it into the contract (or revise the contract if you have to), that you are not responsible for changes they make to the software. If they're f-ing up your code and then expecting you to fix it, you have client problems that aren't going to be solved by obfuscating the code. And if you obfuscate it and they encounter an actual problem, good luck in getting them to accurately report line number, etc., in the bug report.
Please don't do that. If you don't want people to alter your Perl code then put it under an appropriate licence and enforce that licence. If people change your code when you licence says that they shouldn't do that, then it's not your problem when your updates not longer work with their installation.
See perlfaq3's answer to "How Can I hide the source for my Perl programs? for more details.
It would seem your main issue is clients modifying code which then makes it difficult for you to support it. I would suggest you ask for checksums (md5,sha, etc) of their files when they come to you for support, and similarly check files' checksums when patching. For example, you can ask the client to provide the output of a provided program which goes through their install and checksums all the files.
Ultimately they have the code, so they can do whatever they want to it. The best you can do is enforce your licenses and to make sure you only support unmodified code.
In this case obfuscating is the wrong approach.
When you release the code to the client you should keep a copy of the code you send them (either on disk or preferably in your version control as a tag/branch).
Then if your client makes changes you can compare the code they have to the code you sent them and easily spot the changes. After all if they feel the need to make changes there is a problem somewhere and you should fix it in the master codebase.
Another alternative for converting your program into a binary is the free PAR-Packer tool on CPAN. There are even filters for code obfuscation, though as others have said, that's possibly more trouble than it's worth.
I agree with the previous suggestions.
However if you really want to, you can look into PAR and/or Filter::Crypto CPAN modules. You can also use them together.
I used the latter (Filter::Crypto) as a really lightweight form of "protection" when we were shipping our product on optical media. It doesn't "protect" you, but it will stop 90% of the people that want to modify your source files.
This isn't a serious suggestion, however take a look at Acme::Buffy.
It will at least brighten your day!
An alternative to obfuscation is converting your script to a binary using something like ActiveState's Perl Dev Kit.
I am running a Windows O/S and use perl2exe from IndigoSTAR. The resulting .EXE file will be unlikely to be changed on-site.
As others have said, "how do I obfuscate it" is the wrong question. "How do I stop the customer from changing the code" is the right one.
The checksum and contract ideas are good for preventing the "problems" you describe, but if the cost to you is the difficulty of rolling-out upgrades and bug-fixes, how are your clients making changes that don't pass the comprehensive test suite? If they are capable of making these changes (or at least, making a change which expresses what they want the code to do), why not simply make it easy/automated for them to open a support ticket and upload the patch? The customer is always right about what the customer wants (they might not have a clue how to do it "the right way", but that's why they are paying you.)
A better reason to want an obfuscator would be for mass-market desktop deployment where you don't have every customer on a standing contract. In that case, something like PAR -- anything which packs the encryption/obfuscation logic into a compiled binary is the way to go.
As several folks have already said: don't.
It's pretty much implicit, given the nature of the Perl interpreter, that anything you do to obfuscate the Perl must be undoable before Perl gets its hands on it, which means you need to leave the de-obfuscation script/binary lying around where the interpreter (and thus your customer) can find it :)
Fix the real problem: checksums and/or a suitably worded license. And support staff trained to say 'you changed it? we're invoking clause 34b of our license, and that'll be $X,000 before we touch it'....
Also, read why-should-i-use-obfuscation for a more general answer.
I would just invite them into my SVN tree on their own branch so they can provide changes and I can see them and integrate their changes into my development tree.
Don't fight it, embrace it.
As Ovid says, it's a contractual, social problem. If they change the code, they invalidate the warranty. Charge them a lot to fix that, but at the same time, give them a channel where they can suggest changes. Also, look at what they want to change and make that part of the configuration if you can. They have something they want to do, and until you satisfy that, they are going to keep trying to get around you.
In Mastering Perl, I talk a bit about defeating obfucators. Even if you do things like making nonsense variables names and the like, modules such as B::Deparse and B::Deobfuscate, along with Perl tools such as Perl::Tidy, make it pretty easy for the knowledgable and motivated person to get your source. You don't have to worry about the unknowledgable and unmotivated so much because they don't know what to do with the code anyway.
When I talk to managers about this, we go through the normal cost benefit analysis. There is all sorts of stuff you could do, but not much of it costs less than the benefit you get.
Good luck,
Another not serious suggestion is to use Acme::Bleach, it will make your code very clean ;-)