Slashdot Mirror
Antivirus Firms Out of Their League With Stuxnet, Flame
Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"
I mean seriously does anyone think the OS companies aren't in on this type of operation?
It reminds me of the CIA-Xerox story.
http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm
I love Jesus, except for his foreign policy.
Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.
But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...
So, now they went back to using generic tools and libraries. Full circle!
If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.
AntiFA: An abbreviation for Anti First Amendment.
stop using windows bro
http://www.lua.org/about.html
You cannot solve the virus problem as it is an impossible situation.
The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.
The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.
Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.
Come on OS's, raise that bar so that AV companies can do the same.
Wha. We suck. But, what can you do?
Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!
Your products do have a tendency to delete system files though. Maybe antivirus software should be a bit more than writing definitions to known CVSs and some anomaly engine which thinks every file in a profile directory is suspicious. While antivirus software is another layer of security, it's a pretty shitty one.
With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment
crappy Malware and Anti-virus both crush the performance of the machines they're on...why bother? Oh yeah, and the anit-virus software doesn't work. Is it just to keep the masses from spreading too much?
Anti-virus software companies need to acquire, profile, and create removal code for new threats before they can do much to mitigate it. Now obviously, that's going to take genuine time and effort in cases where they didn't write the virus themselves.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
By the author's own admission, they didn't "fail to detect". They HAD copies of the virus in their reporting database but ignored them. Why are customers reporting samples if the antivirus companies aren't paying any attention? I'd like to hear more on that explanation and not more excuses like "well, it works like a business database".
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.
Seriously, how is this news? Anyone who has even the slightest clue as to how software security vulnerabilities work (or just what turing completeness and the halting problem are) knows that anti-virus software does not and can not exist, and has known that for decades. Just because some marketing people keep pretending there is such a thing doesn't mean there actually is.
What does exist is black-list filters for some well-known attacks. Which obviously is completely pointless to even try unless you are an idiot and you insist on using software that's equally well-known for its lack of security, in which case such a black list can keep the inconvenience down a tiny bit. Or you own a business that makes money by selling unsuspecting people "protection".
Release armies of flying cats.
Because if you're going to ignore what's in your database for two years, well, flying cats are better.
https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU#!
--
BMO
Did you really mean "First, antivirus authors used generic tools"?
Mind, I don't object to the classification of much antivirus software as evil, but it gets a bit kinky later where they're detecting themselves...
Recently, I had submitted a ware to hpHosts/malwarebytes for hosting (it's a custom hosts file mgt. & acquisition system from 12 reputable + reliable sources in the security community). Mr. Steven Burn & Mr. Henry Hertz Hobbit (of malwarebytes/hpHosts + hostfile.org respectively) sent it through the JOTTI online & VirusTotal online scanners (which use Linux based scanning). It came up as a "malware". I immediately wrote:
1.) ArcaBit/ArcaVir
2.) Comodo
3.) ClamAV
4.) Symantec/Norton
5.) McAfee
The 5 antivirus makers (of 70++ total who found my app "ok") who detected my app as a malware.
I wrote & informed them of my using a special new exe packer/compressor which is EXTREMELY fast, & does 64-bit executables properly also!
I use exe packing for good reasons for security & performance, since it obfuscates attempts @ "hacking" or resource altering a program + I check the exe size @ startup & if it alters even 1 BYTE? It automatically "shuts down" informing the user the program has been tampered with (which IS what a std. virus would have to do attaching code to an exe's "tail" & altering jump tables etc.)
It also makes it load faster since the file on disk is smaller & today's CPU's offset the decompression stage into RAM as a bonus!
So, to that?
The antivirus makers performed a special analysis @ Mr. Burn's request, & found the detection was a 'false positive'...
I.E.-> They have some "rules for detection" that are way, Way, WAY WRONG/OFF, in that IF they detect a "non-std." Win32/64 PE header? They flag it INSTANTLY as a malware... which IS wrong, & was proven so by myself to they...
I redid the app, improving it once more (adding in exceptions abilities to NOT download certain sites IF the users choose not to from certain custom HOSTS file data sources of the 12 it can use, & also better filtering vs. sites that ought NOT be in a custom HOSTS file + a bit better speed)...
So, then what happened?
Same crap: I had to go to them AGAIN, & say "check it", same deal - removal of FALSE POSITIVE DETECTION!
Many also have a "rule" in many of them, according to Mr. Henry Hertz Hobbit, of flagging an app as a malware IF THE MAKER DECIDES TO USE WinRar SFX files... DUMB & MORE THAN POTENTIALLY INCORRECT, see above for proof, or ask the gents I noted...
(Using a simple install like WinRar SFX makes for a small, fast, compact installation system functioning essentially like a "tarball" package... & makes tinier installers than does say, InnoSetup or InstallShield & the like, as well!)
* They are FAR from perfect... & make mistakes, due to DUMB rules!
Especially the use of exe packing (even Dr. Mark Russinovich uses it, ala Rootkit Revealer, to stop malwares from detecting & shutting down the program, as well as altering it adversely etc.) & of course, also the use of a WinRar Self-Extracting SFX distribution file (which functions as a "tarball" more-or-less for MY app @ least, just keeping its single exe & data files in 1 package for extract install to a single folder + run it type deal)...
APK
P.S.=> That's my "protest" & statement of FACT regarding things antivirus makers really OUGHT to correct for... it makes for false positives!
Ask Nir Sofer of NIRSOFT also...
E.G.-> He has gone thru the SAME GARBAGE with these people I have recently & years before with Computer Associates (who did the same to another app I wrote in 2004 & I passed ALL 21 of their questions for removal, & they downgraded the app threat to ZERO levels)... apk today's CPU's offset the decompression stage into RAM as a bonus!
So, to that?
The antivirus makers performed a special analysis @ Mr. Burn's request,
Especially the use of exe packing (even
Q: Why is starting a comment in the Subject: line incredibly annoying?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
but it gets a bit kinky later where they're detecting themselves...
It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.
Kinky is two of them detecting each other...
I can see the fnords!
Seen another way: Like all artillery system designers, you study the target, understand the medium thru which the the shell must transverse, and get the payload to the target.
To think that Symantec and AVG and Kaspersky et al are omnipotent is silly. At some point, each of these companies has to avoid false positives because they get the worst PR possible when they make mistakes. There are millions of legitimate apps out there, no matter how well or poorly written. It's a matter of getting to the correct controller, seeding it with destructive code, and making sure the code survives long enough to deliver the damaging payload that's necessary. Certainly the explanation is vastly more simple than the deed, but it's the deed that was successful. Does one generate malware detection that traps such a thing: Maybe-- but you don't give it to anyone because no civilians have centrifuges that are used to make weapons grade material.
---- Teach Peace. It's Cheaper Than War.
My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).
Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.
Well, DUH.
AV kits can only protect against attacks that are known. They may be able to detect new variants of attacks, so once a certain botnet type is known they may well be able to find zero-day developments if their heuristics are good (not a trivial task, but some have mighty good detection rates against unknown variants), but how are they supposed to detect what is simply not known to be a threat?
And likewise they cannot protect against attacks that target YOUR and only YOUR company. Where'd they get samples of it in the first place?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Years ago I got hit by a package that consisted of a bog standard mirc.exe and a bunch of scripts that, er, made it do Interesting.cn things, like run itself as a service and be otherwise clumsily less than obviously visible, opening up the machine for remote commands. Now my operating system of choice doesn't run those things, so to me it was merely a curios. So I sent it in to one of these security companies, and the poor bod at the threat evaluation desk didn't recognise it for what it was. Apparently if his threat evaluator script didn't flag it, it wasn't a threat, and understanding what was going on was entirely beyond him. This experience seems to mesh well with observations how the IT threat mitigation industry operates. It leaves something to be desired, no matter how many really smart people they have.
IF they didn't mess up & on the grounds I stated? See subject-line above...
"They do not flag such files as "malware". They flag them as "heuristics found suspicious files that have properties often used in malware" - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)
WRONG!
* The online scanners I noted don't DO what you said either... they only report "malware" & flagged it with malware names (virus names actually) no less... & they were WRONG too, of course, admittedly wrong on THEIR part no less... explain that!
(The last part in their admission of false positive is the BIGGEST burden on YOU now... the antivirus makers noted in my initial post, 5/70++ at JOTTI online + VirusTotal & even Microsoft Security Essentials said it was FINE!)
---
"If you actually read the text that your anti-virus software outputs on your screen, this becomes very obvious." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)
WRONG AGAIN, & IF YOU READ WHAT I ACTUALLY WROTE AND WHAT SCANNERS TYPES I USED (online Jotti & VirusTotal)?
You wouldn't have stated that... period!
---
"Unfortunately most people, apparently including yourself, do not read these messages and instead assume your file has been filed as malware when you're looking as a false positive hit from heuristics engine warning your about suspicious properties of your file.." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)
See above - &, I wouldn't SPEAK of READING, where I you... not by this point.
---
"Actual malware that is known is labelled very differently by most anti-virus software." - by Luckyo (1726890) on Monday June 04, @09:20AM (#40207883)
Again, B.S.: READ MORE CLOSELY NEXT TIME & check what online virus scanners I noted ACTUALLY DO!
Lastly - buddy look: I've been writing software that's done EXTREMELY well from the commercial software world more than once (to great acclaim in books, magazines, newspapers, technical trade shows & more), freeware/shareware, as well as custom database applications professionally since 1994...
So please: Don't even *TRY* tell me "how it works", or worse, act "condescending" to me, until YOU can show you've done the same (as well as "turning the antivirus makers over onto their heads" more than once, which I have a couple times now)...
In fact?
I'd actually wager I may have been doing things like that before you were even BORN.
APK
P.S.=> "Proof's in the pudding" & argue with the results, + IF you doubt them? Write this fellow, Mr. Steven Burn of malwarebytes/hpHosts ->
services@it-mate.co.uk
(Who happens to be a respected member of the security community in Mr. Steven Burn of Malwarebytes' hpHosts website -> http://hosts-file.net/?s=Download & he can substantiate my ENTIRE tale you replied to here -> http://it.slashdot.org/comments.pl?sid=2892215&cid=40207637 )...
... apk
Stop enumerating badness: Default deny.
http://www.ranum.com/security/computer_security/editorials/dumb/
Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.
But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.
For your security, this post has been encrypted with ROT-13, twice.
With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.
In order to evaluate your theory, we'd have to put it to the Occam's Razor test.
The simplest answer is that Windows really does have lots of vulnerabilities, and the security companies really are in over their head.
Obviously, this is patently false. Windows is widely known to be bug-free and highly secure, and the security companies have developed a suite of efficient, stable software to help us defend against viruses. So your theory obviously has merit. How could it be otherwise?
The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets.
You don't say.
I have seen it on here lately - cleanMyPC or something like that....pretty good so I have heard........
Once you are hit, it is already too late.
What we as sysadmins and users should focus on instead is prevention.
Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.
"boring cunt" - by Anonymous Coward on Monday June 04, @10:16AM (#40208433)
Using profanities in reply after your "blunders" here -> http://it.slashdot.org/comments.pl?sid=2892215&cid=40208027 ?
* "U FAIL"... period.
APK
P.S.=> My, my "such language", lol... Yes, that's exactly the typical "geek angst" ridden b.s. I get in reply, after some "wannabe genius/computer guru" blows it vs. myself & yes, almost EVERY time... lol!
... apk
Who benefits from the success of Stuxnet, Flame, et.al.? The U.S. has a simple method, (publicly tested, and verified), of bringing down a countries entire electrical system, and that includes those systems that have backups. Anytime the U.S. wants to "turn off" the power to a country like Iran, it can. But the U.S. hasn't, so who else? I don't see complexity here, I see simple economic warfare. And I see where, Iran could easily handle a problem like a war with guns; but Iran is helpless against a war with credit cards. If I were Iran I would not look west, their guns are chillingly clean.
Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000
"U FAIL"
who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?
also it should be written "U fails", grammar moron
Won't someone please think of the cows? @2:25
Or, put another way, "extraordinary claims require extraordinary evidence."
From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.
On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.
What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Flamer has been out in the wild since cca. 2007, with a MS signed certificate, and the first IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Right, because all of these antivirus companies are so dumb they cannot detect a 20 MB spyware pack on Windows machines for four years.
The most bothersome statement to me is right here:
>consumer-grade antivirus products
Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.
The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.
See subject - U FAIL! This isn't "english class", fool, nor a paper for a grade in academia, or professional correspondence!
CLUE - it's a forums & the subject is computing tech material, specifically on antivirus programs!
APK
P.S.=> Yes, it's doubtless our MULTIPLE ACCOUNT using diseased cyclops troll here:
barbara.hudson@unjava.com from http://slashdot.org/~Barbara%2C+not+Barbie = barbara.hudson@barbara-hudson.com from http://slashdot.org/~tomhudson
Stalking/trolling/harassing me by ac posts now... lol, since she disappeared since 5/21/2012... to collect up modpoints for her "effete retaliation" in downmods of my posts & more.
(So, why would a KNOWN troll, whom even hairyfeet KNOWS he/she does this -> http://it.slashdot.org/comments.pl?sid=2872677&cid=40123423 have more than 1 registered username account on /. for? Simple - modding herself up, & her opponents down... how "transparent").
QUESTION: Is trolls' fav. color "transparent" or what?
LMAO!
Barbie/tom disappeared for 2++ weeks since 5/21/2012 just to "collect up modpoints" to mod me down & troll me by ac posts - since she's been EXPOSED in her antics!
(Which she's admitted AND TOLD OTHERS TO JOIN HER IN DOING, but the "others" are just more of her alternate registered 'luser' sockpuppets accounts)... proof? Ok:
"Wait until he starts on another kick, then reply to him as an AC. It's the new meme." - by tomhudson (43916) on Sunday May 09 2010, @08:29PM (#32150544) Journal
FROM -> http://slashdot.org/comments.pl?sid=1646272&cid=32150544
She's kept that up for YEARS now, talk about "psycho"... lol, just because myself & hairyfeet exposed her in it here -> http://it.slashdot.org/comments.pl?sid=2872677&cid=40123423
As if biological virus detection works any differently. There's an inherent problem of identifying what is "good" and what is "bad" if you have a complicated system. The virus detection companies have a problem that mirrors the complexity of the biological varieties. Sure you can detect certain "signatures" of potentially bad invaders, but evolutionary pressure will weed those out and then you are leave you the ones that are harder to detect...
Another option seems to be to attempt to identify "self" and not-self. Unfortutnatly, although that's potentially easier, the fact that the apple closed eco-system and the proposed win8 closed eco-system ruffles so many feathers, yet doesn't seem to be fool-proof either.
Sadly for many of us (meaning the tinkers of the world), perhaps the better answer is complete lock-down. If you can't install or un anything, then less options exist for problems. Although this probably won't work either (bugs are inevitible and now they will be hard coded-in).
What does that leave? Probably we need to flip this around evolve and learn to live with viruses. Viruses are inevitable, and the problem we have is that we trust each other too much. So how do we (as in human biological systems) deal with viruses? In addition to the ability to We have evolved get "sick" (when we get a virus) and evolved to learn how to detect when our comrades are sick and avoid them. Perhaps OS vendors and anti-virus firms should concentrate more on teaching our computers how to recognize when they are in contact with other "sick" computer (basically a firewall on steroids). Some commercial devices are doing this already (they look through emails, torrents, etc to try to identify stuff like high-risk data, etc). We probably need to get better at this stuff... On how to force computers to get "sick" (other than slow down), perhaps anonymity is the biggest problem (in an anonymous situation, biological vectors tend to spread faster).
This is perhaps the most unfortunate realization that open-ness and anonymity are perhaps the environment that actually allows for viruses to cause the problem that exists to day (think shared needles in a heroin den or any other analogy you might think of).
MS has issued a security update KB2701704 that revokes some certificates, presumably the ones used in these attacks.
make imaginary.friends COUNT=100 VISIBLE=false
"Flame" isn't on the list of malware detected by the Microsoft Malicious Software Removal Tool. Why not?
Those darned Antivirus firms just completely missed those darned virii.
Says one spokeman:
"Don't know how that happened. We'll do better next time."
In other news Antivirus firms reported a banner decade with x billion in profits.
This just in, the US Government is missing x billions of dollars to an unmarked fund.
Wow, this is just a freakin' mystery.
Yeah, right. I constantly get warnings about packers (or even keyloggers, because they like hooking it up low level style I guess, and who can blame them) in code that isn't only legitimate, but blows all other code on my computer (including the AV software) out of the water. Things you'd download from scene.org or pouet.net. Sweet, sexy little things.
Sounds like what you are wanting is what Avast and Comodo already do, which is scan before load all web pages and sandbox the browser. This way if the website you try to hook to is "infected' instead of just running the code it blocks it and gives you a warning and since by default the browser is sandboxed anyway if something manages to get past their heuristics its not gonna be going anywhere anyway.
ACs don't waste your time replying, your posts are never seen by me.
There's actually one company addressing this, http://www.countertack.com/os-level-monitoring/
U FAIL!
Who's that 'U' ?
This isn't "english class", fool, nor a paper for a grade in academia, or professional correspondence!
CLUE - it's a forums & the subject is computing tech material, specifically on antivirus programs!
I'm a bit lost here: is 'U' an English teacher computing antivirus programs for academia ?
Seriously. This virus is nothing.
It's infected a whole 1,000 computers.
Antivirus programs are already detecting it (at least Avira is).
That guy just comes off as being an asshole and doesn't really provide any useful info whatsoever. He sounds bitter that someone was able to come up with a virus that didn't fit the preconceived package they expected and therefore fooled them all.
But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...
You mean like they detect UPX'd apps as a "potential threat"?
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
How are you and the rest of the Wolverines going to do with small arms against drone warfare and nerve gas?
For off-topic trolls like YOU:
"? aimedaca rof smargorp surivitna gnitupmoc rehcaet hsilgnE na 'U' si :ereh tsol tib a m'I ? 'U' taht s'ohW /. OFF-TOPIC TROLL on Monday June 04, @03:04PM (#40212009)
" - by Anonymous Coward ANOTHER "ne'er-do-well"
"???"
Uhm... Could we get a translation of that off-topic "troll-speak/trolllanguage" of yours, please?
---
* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
Sounds like what Tsutomu Shimomura was working on in the movie takedown.
Basicly the AV industry got complacent and has been for a few years because of cash cows that kept giving out the milk. I am sure many of us expected to viruses arrive like this years ago, and have been waiting and wondering why we haven't seen them, well now we know, it's because of the human condition and those who knew how to take advantage of it, that we didn't find out sooner.
Either way many in the broader security industry have know these type of things could exist and might. Which is why AV is not the only security many use. Firewalls filtering inbound and outbound traffic on each PC as well as the link to the internet and monitoring of the logs helps among varius other precautions, but by nature humans tend to take the easy way in things, and others know this and take advantage. Say what you want about paranoid security(not just AV) people, they see the issue and work to prevent being taken advantage of.
"On your point, you clearly state that the reason for the "false positive" was "certain techniques I used in the file, for good reasons". - by Luckyo (1726890) on Monday June 04, @03:21PM (#40212263)
Oh, really? That's EXACTLY one of them...
A.) Using exe packers is often a "flag" used to UNJUSTLY call programs "malware" (ask Mr. Steven Burn of malwarebytes/hpHosts, I gave you his email address to do so, feel free to write he, & then to "eat your words"... ok?)
&
B.) Using WinRar SFX "tarball package" type SIMPLE installers (smaller than more complex ones like InstallShield & InnoSetup for example, & perfect when you don't NEED the features of a more complex installation system, which my program does not (it even qualifies as a portable app)) - Ask Mr. Henry Hertz Hobbitt of hostsfile.org, ok, & again feel free to write he, and again, to "eat your words"...
Plus, I am NOT the only person it's happened to... ask Nir Sofer of NIRSOFT or even Dr. Mark Russinovich (per his pstools being abused by malware makers even).
False positives are a truckload of horseshit that indicates antivirus programs have a lousy heuristics system (widely known)... but, the antivirus companies listed calling my app a SPECIFIC trojan is NOT heuristics buddy, it's a clear mistake they retracted... get over it.
---
"That's not malware detection hit - that's heuristics seeing certain properties of the file and labelling it as such.". - by Luckyo (1726890) on Monday June 04, @03:21PM (#40212263)
Again - Oh, really? Is that WHY it was explicitly falsely called a Trojan & with a SPECIFIC trojan family name to it??
---
"Malware detection usually hits on specific code inherent to particular malware, not methods of compression of the executable..". - by Luckyo (1726890) on Monday June 04, @03:21PM (#40212263)
Again - you had better "brush up" boy, & ask the folks I noted from the security community I noted in my posts to you about the EXACT points I noted again above... ok?
(You're living in fantasy land, mere theory... I am talking ACTUAL REALITY here, not b.s. & evasions).
---
"(Obvious caveat: typically. YMMV).". - by Luckyo (1726890) on Monday June 04, @03:21PM (#40212263)
Oh for Pete's sake - lol, trying to "leave yourself an 'out'" are we? Give me a break... evading SIMPLE questions isn't answering them, especially with a truckload of 'doubletalk' fantasyland b.s.!
APK
P.S.=> Above all else/lastly - You're OBVIOUSLY unable to explain the reasons the antivirus companies noted retracted their initial detection of my app as a "malware" or infected program... and yes, they named it EXPLICITLY as a Trojan family, & it's not (hence the false positives being retracted & removed).
... apk
Off-topic yet again, & on the same b.s. as you did here -> http://linux.slashdot.org/comments.pl?sid=2875333&cid=40209107
* Please... seek professional psychiatric help of somekind!
(You obviously require it & it's SO obvious, based on clearcut evidence of you doing it already this week, I don't need to be a psychiatric pro to be able to make that statement either, because your actions obviously show you have "issues" of somekind (geek angst I suspect, lol)).
APK
P.S.=> It's fairly obvious I've blown you away before, doubtless due to your SELF-DEFEATING NATURE, & thus you "stalk me" around /. with ac posts like some GEEK ANGST ridden sociopath, proven above, & hence your usage of ac posts to try "bother me" now...
Plus, by this point - I know you're afraid to use your registered 'luser' account because I am almost CERTAIN I can point out utterly nuking you here in the past, clue - grow up, psycho-boy... apk
interesting take on the subject: http://attrition.org/security/rebuttal/rebuttal-mikko_and_av.html
You can't have a perfect Anti-Virus software, because the definition os "virus" or "malware" is not so clear. Until someone decides it's a piece of malware, it's just a piece of software. That means that despite heuristics added, an anti-virus software is be definition more re-active than pro-active.
Mwa haha ... "compressed" ... pffffrt apk said he does "compressed" speak ... rotfl
Oh man, I'm still laughing at this good ol' joke from good ol' apk :-D
apk ... "compressed" speak ... MWA HA HA lmao, hahahahahah lol, hahahahahaha ... yuk yuk yuk, he-he ... rotfl
"compressed"
wow, he-he, thanks again for that, you made my week
Anti-virus companies are out of their league with MOST malware. Even the most novice coders routinely evade these products.
Off-topic yet again, & on the same b.s. as you did here -> http://linux.slashdot.org/comments.pl?sid=2875333&cid=40209107
* Please... seek professional psychiatric help of somekind!
You obviously require it & it's SO obvious, based on clearcut evidence of you STALKING ME THREAD-TO_THREAD, as shown above, already this week...
(I don't need to be a psychiatric pro to be able to make that statement either, because your actions obviously show you have "issues" of somekind (geek angst I suspect, lol)).
APK
P.S.=> It's also fairly obvious I've blown you away before, doubtless due to your SELF-DEFEATING NATURE, & thus you "stalk me" around /. with ac posts like some GEEK ANGST ridden sociopath, proven above, & hence your usage of ac posts to try "bother me" now...
Plus, by this point - I know you're afraid to use your registered 'luser' account because I am almost CERTAIN I can point out utterly nuking you here in the past, clue - grow up, psycho-boy... apk
Do you have:
1.) A license to practice psychiatry, Dr. Quack (the "SiDeWaLk-ShRiNk" of /.)
2.) A PhD in the psychiatric sciences
3.) A formal examination of myself in a professional psychiatric environs to determine my "alleged mental state" according to your "insta-snap 'diagnosis'/'prognosis'", Dr. Quack
* When you get those items to your name/credit? Then you can talk
if he does not agree then apk is a schizophrenic maniac with a tendency to paranoia, because his actions obviously show he has "issues" of somekind (inferiority complex, illiteracy, moronism, you name it). he's also a proven sociopath and idiot.
yes an idiot, because all this was just to make him contradict himself. you've been driven by the nose exactly where we wanted you to be: admitting that someone such as apk can be so obviously psycho that no PhD in psychiatry is needed to determine his mental state.
And there we are, you've been forced to admit that "it's SO obvious" and "don't need to be a psychiatric pro to be able to make that statement either". You're a fool, and you've been fooled. Now go crybaby, go !
Don't need those for a repeated stalker thread to thread -> http://linux.slashdot.org/comments.pl?sid=2875333&cid=40209107 and this one too, where you're doing the same thing you did in the link above.
* You have issues, clearly...
APK
P.S.=> Did you know that stalking people is against the law? apk
Did you know that stalking people is against the law?
Hi anonymous coward, I didn't know an anonymous coward could stalk an anonymous coward, anonymous coward.
We're just giving you a bit of your own medicine. How does it taste ?
In Soviet Russia the law stalks you !
You stalk me by ac posts thru many threads -> http://it.slashdot.org/comments.pl?sid=2892215&cid=40218461
APK
P.S.=> Your just another off-topic ridiculous trolling ac stalker, nothing more... apk
Look this is done by NSA or CIA or the like. That means they had help from M$ and the lot, and also from name-brand people in the open source world. This has to include possibly getting help from the virus protection makers themselves, who knows? . You can't know because where national security intersects with stuff we use from companies we know, lying becomes virtuous and anyone can be lying. You're through the looking glass now. That's how this game is played. So the fact that they were able to pass as a trusted application component is no surprise.
One thing that's distressing is that, just as in non-cyber warfare, the ability to invoke entropy exceeds the ability to preserve order. For example, we can't protect ourselves against nukes. In fact, we can't protect ourselves against most weapons. That's only going to become more true as weapons become fiercer. Worse, this is not just true of our side, it unfortunately holds for the other side. This fact holds huge political and societal ramifications.
As the ability to create destructive artifacts moves from the nation-state to the level of small groups and finally to the level of individual actors, then the interest of the majority- in the form of the state- in controlling and knowing the actions of not just nation states, but also small groups and finally individual actors will only increase.
If it only takes one guy (it's always a guy) to harm a lot of people in very bad or mortal ways, the state, unfortunately, has a legitimate interest in knowing as much as it can about everyone's doings :(
This is not even something that will be inflicted on an unwilling populace- it's something they'll demand.
You can see this principle in action today. Virus writers hurt a whole lot of people but it's just a little damage. So the state has created the new category of cybercrime and pursues offenders with a little vigor.
They pursue with a lot more vigor small groups who want to mortally harm small groups of people, say at a mall by shooting it up.
They pursue with yet vigor and money small groups who want to acquire WMD and any person or entity who wants to help them. This is something we (allegedly) go to war over, point being at least Congress conceives of this as being worthy of an all out national response, whether they're right on the facts or wrong is irrelevant in this context.
As technology progresses, the number of people needed to inflict damage tends towards one. The type of damage that person can inflict tends towards death and disability. The number of people that damage can be inflicted upon tends towards hundreds, then thousands then millions. All three variables moving independently yet all trending overall towards their mayhem extrema.
It will serve us to remember that this is a basic fact about the world and the future that is no one's fault. The changes to come between individuals and the state are inevitable.
The challenge for the future is how do we structure society and redefine the roles of state and individual so that we can keep ourselves safe against the lone psycho with the nano-lab in the basement AND ALSO have a free, democratic and trusted form of government? How can we create a government that is at once radically more transparent and trustworthy than the one we have now and also opaque enough to be able to wage devastating, indefensible, asymmetrical warfare on any one individual anywhere in the world at any time?
I dunno.
Oh man, this guy was seriously right all along: http://it.slashdot.org/comments.pl?sid=2857487&cid=40046391
he's unable to prove his identity nor is he able to understand the concept of identity.
So if I just sign APK, I become APK per your reasonning ?
APK
P.S.=> Hey ! look ! it's me, I'm APK... apk
"Oh man, this guy was seriously right all along" - by Anonymous Coward on Wednesday June 06, @08:18AM (#40230865)
You show the rest of us I have trashed you before & you're SCARED of showing your "true face" via your registered 'luser' account here...
I keep track of trolls I have burned before. You KNOW I'd just toss your NUMEROUS defeats vs. myself right back @ you & laugh at you because of it using them to do so!
(Face it - YOU know it, I KNOW IT, & anyone with any SENSE reading, knows it: Hence, your ac stalking/harassing me, or trying to & failing which is your nature & trackrecord vs. myself obviously!)
(It's obvious... lol!)
* When will YOU truly EVER get it thru your thick head (with extremely small brain) that the "trolling/stalking likes of you" (lowest of the LOW online) can never, EVER, "get the best of me", hmmm?
APK
P.S.=> You're seriously "obsessed": How BADLY have I blown you away before that you stalk me thread-to-thread for WHO KNOWS HOW LONG (weeks/months, & in some cases YEARS) around here *trying* to defeat me? You never have, & NEVER will, because you're just not very intelligent OR "saavy" about computing based technical information... period & your stalking me by AC posts rather than your registered 'luser' account proves that much easily, it's SO obvious (lmao) - So, thus?
Man, I actually pity you, I truly do - you're worse than most women I've met in fact in that regard... apk
Man, I actually pity you, I truly do - you're worse than most women I've met in fact in that regard... apk
Truly unbelievable the guy even predicted that you were a misogynist.
will tell you that your place is in a kitchen if you're an unfortunate member of the female class. He admitted (more like claimed) being raped multiple time by his ex-girlfriend and of abducting at least one of them, probably the same.
That's amazingly on the spot
Oh, and stop calling me "Man", dude.
APK
P.S.=> Hey ! look ! it's me, I'm APK... apk
http://it.slashdot.org/comments.pl?sid=2892215&cid=40209543
* You fail, lol... badly!
APK
P.S.=> Look, I understand WHY you troll/stalk me by ac posts:
I've completely dusted/blown you away SO many times here in technical debates on /., that IF you posted via your registered 'luser' account, I'd simply toss the doubtless NUMEROUS defeats you've suffered @ my hands... lol!
(Whose fault is that, if you're stupid enough to try "take me on"?? You're an ant attacking a mastodon, period...)
You wish you were me... apk
The antivirus industry is all about reaction, not pro-action per se. You just got punked again to infinity and beyond.
I swear, antivirus companies are good to suck.
My customers always ask, which is the best, and I reply, none. Free is equal to paid. See FSF on Wikipedea.
The rest of the story c/o Paul Harvey is offline - tune your radio to 1200 AM
GTFOOMYUFMATUSG
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever 'trollspeak/trolllanguage' gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
ok, so you suck at python, no problem, we'll help you through this:
* there has been a function called reversed() for ages in python, no need to rewrite your own inferior one
* you could have used slices. it's slower than reversed(), but much shorter and elegant: print(s[::-1])
* your code is suboptimal, the *.pyc needs to be "recompiled" whenever you edit *.py (i.e. every time). you better use raw_input() and prompt the user for new input every time
* here is a one-liner in command line doing the exact same thing: python -c "print ('hello troll')[::-1]"
* here is a one-liner in command line doing the exact same thing, unix style: echo 'hello troll' | rev
What about Avast blocking Avast then?