News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Dumb Error...

Started by FORTRANS, August 28, 2008, 04:40:49 PM

Previous topic - Next topic

FORTRANS

Hey,

   I am writing a fairly large (by my usual standards)
DOS program (FYI) and it just triggered Symantic
Anti-virus to quarantine the EXE.  Instead of randomly
changing code, is there a good way to deal
with this?  The random code may have worked, but
that's tacky.  And if I distribute the program, what's
to say that another anti-virus thinks the random
change was not good enough?

   Feel free to move this to another forum if it's not
considered a basic question.

Phooey,

Steve N.

Edit: Still doing it, not random enough.

PBrennick

It would be helpful if you would at least tell us what virus alert is being triggered. We do not see the code and don't know what virus. How the heck can we help. That is like saying, "Do you see that crowd of people over there? One of them just robbed me, please arrest that person." :eek

-- Paul
The GeneSys Project is available from:
The Repository or My crappy website

FORTRANS

Sorry, PBrennick I didn't think that was needed.  It is
reported as:

Auto-Protect Results

RDA.Encrypted (1 )Detected As: RDA.Encrypted (1)

And: Symantec AntiVirus with a definition file 8/17/2008 rev 3

Trying to "Clean" it fails.  I can "Undo action", but that
is only good to the next link.  And between Symantec
and Micro$oft I can't even seem to turn it off for long.

Regards,

Steve

MichaelW

RDA.Encrypted (1) is listed as detected, but there is no writeup available, which suggests to me that it's rare, old, or somehow unusual.

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=R

Was there any indication that it was a heuristic detection?

eschew obfuscation

BlackVortex

One way would be to notify the antivirus company, so they can fix their signatures. Also throw your binary at one of the online virus scanners that check with multiple products, before you distribute it.

FORTRANS

   First, thanks to those who responded.  Second, this is tedious,
so I may come across as testy or clueless.  Apologies in advance.

Quote from: MichaelW on August 28, 2008, 06:24:16 PM
RDA.Encrypted (1) is listed as detected, but there is no writeup available, which suggests to me that it's rare, old, or somehow unusual.

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=R

   What I saw doesn't even say what it is (virus/other), what it infects
(Windows program/DOS program/whatever), or much of anything.

Quote
Was there any indication that it was a heuristic detection?

   All I saw was the Auto-Protect Results pop-up saying it quarantined
my program.  No where in the program it is, or what actually happened.

   From memory, what changed a "nice" program to an "evil" one was:

Nice had a bunch of hardwired calls to a subroutine in the main
routine.  Most of those were edited out, and a call to open a
file was added.  And another call to a new routine to process a file.

Nice had file open routines that were taken from another program,
but was wonky.  Evil edited maybe five lines to be workable.  Old
code mostly from somebody's snippits collection.

Nice had a routine that took text from the keyboard and called
a routine to put it on a graphics screen.  Evil made a copy of
that and changed a couple of lines to read an input buffer.

   Fay came last week and Gustav may come this week.  Not
much can be done about that, but people talking about it
make some sense every so often.  Symantec's web site tends
not to.  (At least to me about my problem.  There should
be some reasonable way to do something.)

   Back to random code thrashing, unless there is a better
indication of what should be done to correct this.

Thanks,

Steve

Slugsnack

One way of finding the code that is throwing the AVs is to comment out bits of your code until it stops being detected.  That way you can usually find the few lines or the series of API calls that is causing the AV to go crazy.  I remember having to do this once in a program I made too which was in no way malicious.

Mark Jones

Quote from: FORTRANS on August 29, 2008, 01:48:39 PM
Evil edited maybe five lines to be workable.  Old code mostly from somebody's snippits collection.

Uhh... What?

Is "Evil" here being used as a person's title, or a semantic description? Are bits of your code really (unknown) snippets from somebody else?

Sorry, I don't read short-hand. :toothy (Please clarify.)
"To deny our impulses... foolish; to revel in them, chaos." MCJ 2003.08

FORTRANS

Quote from: Mark Jones on August 29, 2008, 04:43:47 PM
Quote from: FORTRANS on August 29, 2008, 01:48:39 PM
Evil edited maybe five lines to be workable.  Old code mostly from somebody's snippits collection.

Uhh... What?

Is "Evil" here being used as a person's title, or a semantic description? Are bits of your code really (unknown) snippets from somebody else?

Sorry, I don't read short-hand. :toothy (Please clarify.)

Hi,
   Evil is the way my anti-virus is treating my poor
innocent program.  Just trying to explain the changes
I made to my program to trigger the anti-virus.
   No not really unknown snippiets.  The code was
originally from one of several CD-ROMs of assembly
language code.  And I took/looked at several routines.
And have editted them quite a bit over the years.
Not my code originally, but no longer someone else's
any more.

Hi Slugsnack,

   Right, I just called that debug process random out of
grumpiness.

Regards,

Steve N.

PBrennick

Unless this is something that you intend to sell or are afraid of criticism; at this point, I feel we need to see this 'evil' code. If you do not wish to attach it here on the board just email it to any one of us who seem interested in helping (or maybe all). No one is going to bash code posted in the Campus and most of us will not bash code posted anywhere.

At this point, it is just a nice conversation where we all comiserate about heuristics together. Now, let's get down to work...

-- Paul
The GeneSys Project is available from:
The Repository or My crappy website

FORTRANS

Paul,

   Thanks, the thought of actually asking someone to give me money
for one of my hobby programs brought me a nice smile.  I could
post the binary, or e-mail you the source, but...

   I deleted the new routines.  Still infected.  I ended up deleting
the entire program's code a piece at a time.  Still infected.  So I
deleted parts of the data section until the anti-virus was happy.
All the graphics for a large font, and the table of addresses to use it.
basicly the only things left were the messages and a few variables.
Fine, restore the last data deleted.  Assembled and ran (though
running was now just exiting).  That does not make much sense.
Restored more data, still okay.  Restored routines a bunch at a time.
Got the entire program and data to assemble and "run", except
the main program.  Restored part of the main program, bang it's
infected.  Deleted the last code installed, still infected...  My
anti-virus is not making me happy.

Regards,

Steve N.

PBrennick

I REALLY would like to see that sources that would behave in such a way. Probably, it has to do with a large data block that contains data that looks like (or is) code. This is a very popular way to pass a virus as there are plenty of places to put code in a, well, bitmap, for example. There used to be an example of how to hide stuff in a bitmap floating around somewhere, but that was ages ago and I do not remember where it is.

-- Paul
The GeneSys Project is available from:
The Repository or My crappy website

BlackVortex

Modern antiviruses don't just scan a file statically. They are using cpu emulators to counter packers/cryptors, self-modifying code,polymorphism etc.  For example, you may think that making the proggy exit immediately isn't important as long as the rest of the data and code is in-memory anyhow ... but that's not true.

It's not as simple as cutting out pieces at a time.

Also, there isn't necessarily one piece of code/behaviour that may seem suspicious to the antivirus. Most antiviruses use what I call "flag-system". If too many flags are raised, it decides it is dangerous.

P.S.: Symantec Antivirus = Norton = Piece of crap !!!   <--- can't stress this enough, I barely resist the temptation to use humongous font size

evlncrn8

i've had some antivirus programs find 'patterns' in my data section... which is pretty damned annoying...
and really does indicate some antivirus programs are pretty crap.. norton definately being one of them...
best thing is, before release, throw the file to virustotal.com or a similar site...

FORTRANS

Hi again,

   I am on a different machine, so this is from my lousey memory.
I was in a hurry, just going in on a holiday weekend to water my
plants.  I think that after Symantec flags something as a virus, it
prevents things from opening it, including LINK.  But after all the
clickee, pointie garbage, they also follow the Unix standard of not
preserving the file creation time.  So it looks like you have created
a new program after an edit, while the EXE is still the old piece of
radioactive waste.

   Now, getting angry makes you (me) rather stupid.  Same with
being in a hurry.  Now evolution should then make us all a mellow,
considerate lot.  In an observation as a angry, frustrated person,
I can support the evolutionary point of view that I would take
the benevolent people at Microsoft that are hiring otherwise
unemployable programers that create XP's cute pop-up windows,
and the protective people at Symantec that don't want to worry
you with any useful information, and of course the creative
whoever that brought us RDA.Encrypted (1 ), and I would gladly
convert them to the computer equivalent of sausage.  Luckily,
they are all out of reach and immune to reason.

   When/if I calm down, I will check things a bit more methodically.

QuoteIt's not as simple as cutting out pieces at a time.

   Unfortunately true.  The last addition of code that caused the
trigger was working in an earlier version.

QuoteProbably, it has to do with a large data block that contains data that looks like (or is) code.

   Maybe.  Right now it seems to be real live code in a strange
pattern.  Something being the wrong distance from something
else.  Individual pieces are "harmless".  (Or maybe pilot error
again.)  The major data is a font that does not look much like
code (at least to me, Symantec may differ of course).  The last
addition was (I think);

        CALL FINDNAM3   ; Find input file, open, and start read.

        MOV     [ReadFile],0    ; No file name on command line.
        JZ      S_0
        MOV     [ReadFile],1
S_0:

; - - - Invert Font Data - - -
        MOV     CX,OFFSET Index34 - OFFSET FONT34       ; The font size
        MOV     BX,OFFSET FONT34                        ; The font start
S_1:
        NOT     BYTE PTR [BX]                           ; Invert
        INC     BX
        LOOP    S_1



   Which was woking nicely not too long ago.  Tomorrow I'll
try to check things again back in the real environment.  Weather
permiting...

Thanks all,

Steve