So I started network programming a few days ago, and I created a very simple trojan (Victims execute a client that create a connection to the hackers PC's and then Hackers can execute function of CMD by a simple system() command).
Basically my trojan works but I don't understand why my Anti-Virus doesn't detect it. I mean the only thing that possibly could have stopped my trojan is my firewall which detected an outgoing connection. So I don't understand why other trojans are detected but not this new one.
I can provide source code if needed, and I would like to emphasize that I do this only for educational purposes. I will never use any of this knowledge to attack anyone (Anyway I don't have enough skill), I just want to learn and understand :).
Avira :
AMES is using the Avira engine for virus detection. If the Avira
engine is not able to detect a virus, then the most likely cause could
be that this virus is brand new and cannot be detected yet. We would
greatly appreciate if you submit the suspicious file to us so we can
analyze it immediately. Our virus lab will subsequently send you a
feedback. If we cannot detect the suspicious file as a virus, we will
work on creating an update to make sure we detect the file in the
future.
AVG :
Sometimes a new virus is not detected even if your AVG is fully up to
date. This happens when a threat has just been written or released, or
we’ve discovered it only very short time ago and are now working on an
update that will recognize and contain the virus.
DELL (https://powermore.dell.com/technology/teaching-your-computer-to-detect-new-viruses/) :
Most antivirus programs use signatures — mathematically derived
strings or regular expressions of malware code — to detect viruses.
But that requires a lengthy process of finding malware in the wild,
getting a sample, analyzing it, generating a signature and adding it
to the repository that is pushed to users in anti-virus updates.
So it seems, like mentioned in the comments, that viruses are only detected when their signatures are recorded by the security software.
Here is a link on how you can use ClamAV to create your own signature : http://blog.adamsweet.org/?p=250
It's not detected because most Antivirus are based on signatures (blacklisting) and that approach is basically not effective to stop malware because ir requires:
an Antivirus company to collect a sample, confirm it and write a
signature for it;
Issue a database update;
People in general
to update their virus database definitions.
Until steps 1-3 are taken, a virus is free to spread and attack your devices. Plus, since step 3 involves people cooperation (allow the antivirus to update) the attack window might not be so short.
It is generally accepted that the efficiency of signature-based antivirus is around 40%-45%.
In the last couple of years, antivirus companies are finally admitting that virus signatures are not the way to go, and they must change from that to behaviour analysis:
http://www.pcworld.com/article/2150743/antivirus-is-dead-says-maker-of-norton-antivirus.html
Related
I hope this is the appropriate forum.
I have used jupyter notebooks for several years, but just started using Apache Zeppelin fairly recently.
It has several potentially advantageous differences. One of them seems to me to be the ease with which the server daemon is launched (or stopped), making Zeppelin easier to install as a shared, collaborative platform.
Possible to kill only part of Zeppelin?
But what can I do, other than zeppelin-daemon.sh stop, when a particular language's kernel has frozen or gotten stuck in ridiculously long code? Sometimes you can pause the paragraph (although the pause seems to also get "stuck" when the kernel is frozen). But what I really want is a command line way to say something like, "restart the SparkSQL kernel" or "kill the current task that the Python kernel is working on", while leaving the rest intact.
I want to allow users the flexibility to try things that might "get stuck", and the confidence that a coworker will not bring down their platform via stupid mistakes.
You can restart individual interpreter in the notebook.
Or restart from interpreter menu
When I execute on solaris 11.0:
pfiles /proc/PROCESSID
The result is process information, a small chunk of output is what interest me:
4: S_IFSOCK mode:0666 dev:543,0 ino:46228 uid:0 gid:0 size:0
O_RDWR|O_NONBLOCK
SOCK_STREAM
SO_REUSEADDR,SO_KEEPALIVE,SO_SNDBUF(49152),SO_RCVBUF(128480)
sockname: AF_INET6 ::ffff:10.10.50.28 port: 22
peername: AF_INET6 ::ffff:10.16.6.150 port: 55504
The process I pfiles /proc/PROCESSID is the sshd session itself.
My question is given a process id, how can i get this (pfiles) information from within a kernel code ?
When looking in struct proc i could not find something that give me this data.
Is there a pointer to struct that hold all open files occupied by the process on the proccess' proc?
I also executed truss pfiles /proc/PROCESSID but could not find the exact call
If you look in /usr/include/sys/user.h you'll see the open file information can be found in the p_user.u_finfo structure of the current process.
Walking that structure is not trivial. Just look at what the proc filesystem code has to do to look up the attributes of just one open file descriptor. There's lots of locking needed - you can't simply walk the data structures while things are running.
And, the following is beyond the scope of the question, but it's important...
For what it's worth, what you're doing can't work. It's fundamentally flawed - technically and legally.
What you're trying to do - track users who share a user account - is worthless anyway. You will never be able to prove that just because a certain login session executed some code that the code was executed because the user logged into that session purposely ran that code. Because any of the users with access to that account can modify the environment of the shared account such that malware is run by someone else. And they can make it look just like a typed-in command.
Shared credentials and accounts violate nonrepudiation. That's your insurmountable legal flaw in using any data your custom kernel tracking may produce - even if you manage to produce a system that's foolproof, which isn't likely.
If I'm logged into a shared account, you can never prove that the code I ran was run intentionally.
Well, that's not entirely true - if you have perfect auditing where you can trace every thing a user does down to the bytes modified on disk, you can. And "perfect" in this case means those users have no access whatsoever to change any part of the auditing system.
But if you already have perfect auditing in place, you don't need to write kernel modules to try and implement it.
Of course, it's impossible to prove you have perfect auditing in place because you can't prove that you don't have holes in it.
See the problem?
We're right back to "You CAN'T prove I did it intentionally."
You'd be much better off just using the OS-provided auditing services. Whatever you come up with isn't going to be useful in proving "who did it" for any intelligent bad actor - like someone who figures out a way to insert malicious code into another user's session. And the OS auditing will be sufficient to catch anyone who has no clue in how to cover their tracks.
But you won't be able to provably catch any bad actor who knows what he's doing when shared accounts are involved. And if you can't prove it, you might not even be able to do anything at all to someone you suspect. Because someone who really knows what they're doing will be able to pin the apparent blame on someone who's innocent - if they can't hide or destroy the evidence of the bad act[s] in the first place.
What are you going to do if you find the shared .profile file has a line in it that after a certain date emails sensitive data to a throwaway email account, but only when the login comes from a certain IP address?
Any one of the users who share that one account could have put it in there.
No auditing system in the world can solve that problem unless it's perfect and tracks every file change.
If the data you're trying to protect is important, whoever is tasking you to solve the problem by writing custom kernel modules needs to grow a brain and solve the real problem - shared user accounts. Get rid of them.
There's a reason why every security guide says not to use shared accounts, and every security audit I've ever seen will fail anyone using shared accounts.
I'm having an intermittent problem that I'm trying to track down. Every now and then a significant portion of my src directory is being erased (like 90%+ of all files). I'll be working on my project and all of a sudden I'll get an error, look at git status and it will show nearly all of the files in my repo have been deleted. Then I have to run a bunch of git checkout -- commands and I'm lucky if I don't lose a bunch of work.
Can I use inotify or another program to watch my src directory and report which program is deleting the files? I have a feeling it's gulp but I have no evidence beyond the anecdotal, and I don't want to bother a specific project until I've nailed down the source of the problem.
OS X, by the way.
The first thing that comes to mind is to use lsof to monitor your directory and capture your output to a file (or have a terminal up.)
I tested lsof +D ~/Downloads/ -r 2 out on my OS X, and it seems to work fine.
https://unix.stackexchange.com/questions/157064/monitoring-files-continuously-with-lsof
Auditing. This is one thing that auditing is designed for.
Don't roll your own. Don't use tools designed for other purposes. Use the auditing facilities your operating system provides.
Basic tutorial for OS X is here:
OpenBSM auditing on Mac OS X
Way back in 10.3.x, Apple submitted Mac OS X and Mac OS X Server to
the National Information Assurance Partnership for Common Criteria
certification. Common Criteria certification means that the the
covered hardware and software has been tested and evaluated to make
sure that it meets an established set of requirements for security and
data protection. 10.3.6 and 10.3.6 Server were tested and were found
to meet Evaluation Assurance Level 3 (EAL3) for Common Criteria
certification.
As part of that certification effort, a new piece of software appeared
from Apple: the Common Criteria Tools audit software. This software
was OpenBSM, which is an open source implementation of Sun’s Basic
Security Module (BSM) security audit API and file format. ...
Yes, it's a pain to do properly. But it will work, and the results will be definitive.
In this scenario the user will submit his/her C code to my server through a browser.
The code will then be compiled and executed on my server and the output will be sent to the user.
Since the user can submit any code (including Viruses, or other malfunctioning code). I will have to take care of that.
So my question is, how can I secure my server from such code?
I cannot answer you for windows -- I can tell you for linux.
This is an extremly complex problem. You need to think to:
quota limit
process that compiles/executes the code to be runned as an unprivileged user.
do not allow the process to run more than N seconds
do not allow process to allocate too much memory
I can say that this is a long-term project that you can not finish correctly in a few weeks.
Your question is perhaps equivalent to the halting problem, and probably has no bullet proof answer (think of asm in malicious C code, forged function pointers, computed goto, buffer overflow trashing the return address, dlsym & dlopen, etc.).
As mentioned by Shawn in his comment (referring to this question), you could use sand-boxing techniques. Alinsoar's answer shows you the complexity of the issue.
Other problem to think to : what rights to allow the guest process: is he allowed to open a socket ? If so , what traffic do you allow him ?
In the case you open a socket, then the problem becomes even more complex, because he can deliver an attack over that socket...
You might consider using ideone API, some mobile devices software do so (CodeToGo for example)
I am allowing users to upload photos like photo albums, and also attach files (documents for now) as mail attachments. So i assume I need some anti virus/security tool in place to scan the files first in case people upload infected stuff. So two questions:
1) Are there any 'free' or open source tools for this I can use or integrate into my environment: codeignitor php?
2) How to secure the upload area from rest of the system? Say the virus scanner fails to catch a virus and it is uploaded, how to prevent it from infecting other files? Like can the upload area be sandboxed in or something always and use that filepath for users to access the content so it does not spread to other parts of the system?
There is clamav for a free virus scanner. Install it and you could do something like:
function virus_detected($filename)
{
$clamscan = "/usr/local/bin/clamscan";
$result = exec("$clamscan -i --no-summary $filename");
return strlen($result)?true:false;
}
As for security, make sure the temporary files are uploaded to a directory outside of your web root. You should then verify the file type, rename the file to something other than it's original file name and append the appropriate extension (gif,jpg,bmp,png). I believe this should keep you fairly safe aside from exploits in php itself.
For more information about verifying file types in php check out:
http://www.php.net/manual/en/function.finfo-file.php
I know this topic hasn't been active for three years now, but, in case anyone else in the future, similarly, is looking for a PHP-based anti-virus solution, for those without an anti-virus daemon, program or utility installed on their host machine and without the ability to install an anti-virus daemon, program or utility, phpMussel, a PHP script that I've written based on ClamAV that fits the bill for what Rohit (the the original poster) was looking for (a PHP-based anti-virus to protect their CMS against malicious file uploads), may possibly be a viable solution. It certainly isn't perfect and I can't guarantee that it'll catch everything, but by far, it's certainly better than using nothing at all.
Ideally, as per already suggested above by Matt, making a call to shell to have ClamScan scan the file uploads is definitely an ideal solution, and if this is something that a hostmaster, webmaster or anyone in Rohit's situation is able to do, I'd second that suggestion wholly. What I've written, because it is a PHP script, has limitations inherent to anything that relies wholly on PHP in order to function, but, in instances where the aforementioned suggestion and/or similar suggestions aren't a possibility (such as if the host machine doesn't have an anti-virus installed and shell access is disabled; common with cheaper shared hosting solutions), that's where what I'm suggesting here could potentially step in - Something that only requires PHP to be installed (with PCRE extension included, which is standard with PHP nowadays anyhow), and nothing more.
Also remember, as Matt has already suggested, to always upload outside of your root directory, to ensure that uploaded files can't be exploited by attackers (such as in the event of an attacker attempting to compromise your system by uploading backdoors or trojans) - Viruses are not the only threat you need to worry about, and the vast majority of anti-virus solutions nowadays do not solely focus on viruses. Matt is also entirely correct in pointing out that no anti-virus solution is perfect, and for that reason, anyone allowing file uploads to their website or server needs to remain vigilant - An anti-virus solution is a must-have for anyone in that situation, but no holy grail of internet security that'll cover every possible threat exists. Also, renaming files isn't only about ensuring that they can't execute (as may be somewhat inferred by the original poster's reply comment regarding EXEs) - The risk of threats such as directory traversal attacks can be reduced by renaming files as well as the risk associated with an attacker attempting to override an already existing file on a targeted system as a means to hide their dirty-work.
Regarding the threat of files that may be malicious being missed by an anti-virus solution and then potentially infecting the system where they are being uploaded to; What a hostmaster or webmaster could potentially do in this situation is employ some sort of quick and simple encoding process that'd render the file non-executable by the system itself, but which can be easily and readily reversed by the PHP script responsible for calling that file on request, such as by way of using base64_encode(), bin2hex(), or even by just rotating a few characters and adding a salt to displace the file's magic number or something similar.