Beyond Security security checks might prevent evils but not intelligents

[kaushik1405241550 0]

Hi. welcome to a new world of intelligence defying security.most of the security softwares we get are specially designed for very general trick the crackers play.i feel u got the trick. right a new trick. a program looking very ordinary. without any security defying stunts will bypass allthat. dont agree. well i knew it. i have designed a program in visual basic . after seeing which u wont agree more! i had a program to track passwords of orkuts and gmails. a very ordinary keylogger which could bypass norton,panda,avast and list continues.

[turbopowerdmaxsteel 0]

Well Kaushik, welcome to the Xisto forums. You seem to be very keen in exploring the world of Internet security and exploits. Would you care to enlighten us about your stealthy keylogger? I have always been fascinated by this field, but never really managed to jump in because of the sheer complexity and wayward documentation at service. I remember making a keylogger in VB .NET sometimes back. It was fairly basic and at that point it relied on listening for system level keyboard events. The word CANCEL would be shown something like CCAANNNCCEL depending on the duration of time the individual keys were kept pressed. (Fairly inaccurate, aye?) I didn't develop it any further as I really didn't have much of a use for it, except for cracking my partner's password.

Edited September 23, 2007 by turbopowerdmaxsteel (see edit history)

[tansqrx 0]

You have learned one of the first lessons of the bad guys. Antivirus programs rely on virus definitions to work. If the definition for a particular program is not present then no red flags are thrown.For the most basic antivirus this is how it works. The antivirus program hooks all the Windows API’s for opening a file and starts to listen. Then a file is opened the antivirus opens the file itself and creates a MD5 hash of it. The antivirus then goes to its database and sees if a corresponding hash exists. If it does then it is flagged and not opened, else nothing happens. This is why it is important for users to always keep their antivirus definition up to date.There are a few ways around this. The best is to simply recompile the program if you have the source. You can take the meanest, nastiest virus that any antivirus would smell from a mile away and make it “clean” again by simply recompiling the source. A few years ago when antivirus companies decided to put “Potentially Unwanted Programs” into their databases I started having problems. Norton decided one day to delete a whole slew of regularly used programs with absolutely no warning (I no longer use Norton). These were not viruses or even malicious in nature but in the wrong hands they could be so they were just deleted. The most notable example is NetCat. I use NetCat all the time to communicate to my other computers. Having it deleted every time I put it back on my hard drive got really old so I fixed the problem permanently. I downloaded the source and recompiled without any changes at all to the code. I haven’t had any problems since.I almost forgot the other solution.If you don’t have access to the source you can edit the binary code. This is not for the faint of heart and it doesn’t work as well as recompiling. The best way is to open the .exe in a hex editor and change one of the strings. The replaced string must be the exact same length as the original and it must be something that is in the program (not one of the standard .exe header strings). A good target might be what is displayed in the About box of a Windows form or the help output for a command line program. Change a few of these and the MD5 hash will not be the same.

[dserban 0]

As long as your keylogger is shown in the process list / task manager, there is software out there that will take a second guess as to how dangerous your program is based on certain criteria. One of the least sophisticated of these pieces of software is Security Task Manager, I'm sure other people can recommend other, more feature-rich pieces of software.And if your keylogger is stealthy / not directly visible in the process list, that's called a rootkit - more difficult and tricky to detect, but this kind of behavior in and of itself can be used as a basis for detection.So just because the virus signatures of the most popular virus scanning engines aren't up to date doesn't mean a virus can stay undetected.

[tansqrx 0]

So just because the virus signatures of the most popular virus scanning engines aren't up to date doesn't mean a virus can stay undetected.In some cases

I will have to agree with you but it is not a sure thing even with very intelligent virus scanners. The proof? I have actually done what I suggested above and the top of the line, up-to-date scanners from all the major publishers simply said âohh thatâs a nice program. Nothing wrong with itâ and let it run.

Many of the current scanners do run heuristic scans. This means that in general a virus will exhibit certain tendencies and use certain API calls. Even if you do not have an exact MD5 hash of a particular virus, you can still guess to a certain degree if a program is performing âvirus likeâ activities. The effectiveness of this scheme is somewhat debated. On one hand you want to find every single program that does DLL injecting because it exhibits âvirus likeâ behavior. On the other you will get about 50 false positives an hour looking for DLL injections because although a lot of virus uses this technique, a lot of legitimate programs do also. The antivirus company has to decide how tight they want to make the heuristic algorithm. From what I can tell there is a lot of black magic going on behind the scenes in heuristics and you just canât predict the outcome. From personal experience I would have to say that heuristics do not work unless you try to modify a very will know virus.