Jump to content

Python Delay makes Anti Virus Softwares Obsolete

(Before starting a description, this is not exactly news and I am not much of a writer, however I am posting it here including my sources. This issue, as-well as the IPv6 Router Advertisement flood needs to be resolved. This won't be the easiest to read however, anyone with some technical knowledge should be able to get the just of what I am saying)
 
Sam Bowne teaches Ethical Hacking at the City College San Francisco1. Sam Bowne has done many talks at Defcon which can all be found on You Tube2. Most recently Sam Bowne had his students modify & compile malware in Python into Windows executables3, thus making Virus Total.com unable to detect it(Virus Total does not use heuristics, as normal Anti Virus engines would) making the code effective against Anti Virus softwares with Behavioral Analysis options disabled(Which they very rarely are)4 After having published his findings a Twitter follower by the name of Bobby 'Tablessuggested to Sam Bowne that Behavioral Analysis really only watches the process for "a minute or two", suggesting that a simple delay in combination with Sam's original method could make both definitions obsolete by modifying the malicious code, compiling in Python, then switching it over to a Windows executable, leaving heuristics or "behavioral analysis" the only thing left to pick up the malicious code. To get around heuristics Sam simply used a delay after starting the process to in essence wait until the guards pass to do something malicious. 


The delay issue in itself actually worries me a fair bit more than, a slight modification of malicious code in Python. My suggestion for Anti Virus manufacturers is to offer users the flexibility on both how long heuristics will watch certain processes, and maybe even the intervals in which the Anti Virus software re-checks processes. Anti Virus Software such as ESET Nod32/Smart Security is already so light weight and efficient that, I could see myself having it watch processes for about an hour long still with minimal performance hits. If you are interested in watching a video on Sam Bowne demonstrating these concepts the link has been provided in the sources, as-well as a link to a video on IPv6 Router Advertisement Floods. 
 
 
 
 
 
 
Sources:
1: https://twitter.com/sambowne
 
2: https://www.youtube.com/results?search_query=Sam+Bowne+Defcon

 

3: http://samsclass.info/124/proj14/p8-av.htm

 

4: http://samsclass.info/124/proj14/norton.htm

5: https://twitter.com/info_dox

 

6: 

 

RA flood Videos:
RA flood hitting fortigate: 

RA flood discussion: 

Link to comment
Share on other sites

Link to post
Share on other sites

I am not a programmer, but it reeks to me of build a better mouse trap and they build a better mouse. 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

I am not a programmer, but it reeks to me of build a better mouse trap and they build a better mouse. 

Yep same here, unfortunately this is a pitfall of the concept of Anti Virus software. As everyone kicks and screams in media outlets about needing "something else" they are correct. However dealing with this one issue regarding delays Would help a LOT. 

Link to comment
Share on other sites

Link to post
Share on other sites

python ftw!

NEW PC build: Blank Heaven   minimalist white and black PC     Old S340 build log "White Heaven"        The "LIGHTCANON" flashlight build log        Project AntiRoll (prototype)        Custom speaker project

Spoiler

Ryzen 3950X | AMD Vega Frontier Edition | ASUS X570 Pro WS | Corsair Vengeance LPX 64GB | NZXT H500 | Seasonic Prime Fanless TX-700 | Custom loop | Coolermaster SK630 White | Logitech MX Master 2S | Samsung 980 Pro 1TB + 970 Pro 512GB | Samsung 58" 4k TV | Scarlett 2i4 | 2x AT2020

 

Link to comment
Share on other sites

Link to post
Share on other sites

python ftw!

Judging by the simplicity of the process used, I wonder if it takes off and becomes a major issue prompting Anti Virus companies to deal with the issue.

Link to comment
Share on other sites

Link to post
Share on other sites

This is the problem with programming languages that are too high level. 

▶ Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning. - Einstein◀

Please remember to mark a thread as solved if your issue has been fixed, it helps other who may stumble across the thread at a later point in time.

Link to comment
Share on other sites

Link to post
Share on other sites

good old glorious python, time for python masterrace?

May the light have your back and your ISO low.

Link to comment
Share on other sites

Link to post
Share on other sites

Well a few months ago I think it was said by some CEO of a antivirus company that they can't stop all malware anyway these days  and that they are becoming more and more about damage control, I see that statement returning when I see this kind of programming tricks.... Because these are the ones becoming public, I wonder how much earlier the truly "bad" hackers have found this out and how many more evil tricks they have.

"Great minds discuss ideas; average minds discuss events; small minds discuss people."

Main rig:

i7-4790 - 24GB RAM - GTX 970 - Samsung 840 240GB Evo - 2x 2TB Seagate. - 4 monitors - G710+ - G600 - Zalman Z9U3

Other devices

Oneplus One 64GB Sandstone

Surface Pro 3 - i7 - 256Gb

Surface RT

Server:

SuperMicro something - Xeon e3 1220 V2 - 12GB RAM - 16TB of Seagates 

Link to comment
Share on other sites

Link to post
Share on other sites

I don't really think this really makes anything obsolete: sure there is a delay and current antivirus software has to be modified but it's a matter of just using more resources to defeat that delay, and honestly resources are the one thing that we have plenty of right now, I'm looking at you 8 core processors that sit idle 80% of the time and only get used slightly for gaming (and No, we won't really do any video encoding that's just something we tell ourselves to justify those sexy extra cores and performance)

-------

Current Rig

-------

Link to comment
Share on other sites

Link to post
Share on other sites

The greatest anti-virus is common sense or Linux :3

dont recommend linux, the more people that use it means the more likely there will be intrusions for it, thats why there are less intrusions on apple software because its not the most used operating system.

cpu: intel i5 4670k @ 4.5ghz Ram: G skill ares 2x4gb 2166mhz cl10 Gpu: GTX 680 liquid cooled cpu cooler: Raijintek ereboss Mobo: gigabyte z87x ud5h psu: cm gx650 bronze Case: Zalman Z9 plus


Listen if you care.

Cpu: intel i7 4770k @ 4.2ghz Ram: G skill  ripjaws 2x4gb Gpu: nvidia gtx 970 cpu cooler: akasa venom voodoo Mobo: G1.Sniper Z6 Psu: XFX proseries 650w Case: Zalman H1

Link to comment
Share on other sites

Link to post
Share on other sites

The greatest anti-virus is common sense or Linux :3

Common sense won't protect your network from a Coworkers important spreadsheet. You would still need Anti-Virus as another layer of security -- not the only one. As per Linux, it can be hit incredibly easily, it is just that Windows is a more profitable platform to attack, considering that it is currently, widely adopted by average consumers.

This is the problem with programming languages that are too high level. 

Good languages are always needed. Python is an excellent language, and many people learn Python as their first language. 

 

I don't really think this really makes anything obsolete: sure there is a delay and current antivirus software has to be modified but it's a matter of just using more resources to defeat that delay, and honestly resources are the one thing that we have plenty of right now, I'm looking at you 8 core processors that sit idle 80% of the time and only get used slightly for gaming (and No, we won't really do any video encoding that's just something we tell ourselves to justify those sexy extra cores and performance)

It does, because Sam unearthed this awhile ago, and there STILL isn't a patch, or fix for this issue. He has tried contacting several different Anti-Virus guys, as have I with no luck (Only luck I have is when x companies product won't update etc, etc)

Link to comment
Share on other sites

Link to post
Share on other sites

dont recommend linux, the more people that use it means the more likely there will be intrusions for it, thats why there are less intrusions on apple software because its not the most used operating system.

If it happens, I expect a lot more shits being flipped by Linus Torvalds. Something to the effect of:

 

"Why did you commit that PoS code into this OS? It's broken, just broken."

I do not feel obliged to believe that the same God who has endowed us with sense, reason and intellect has intended us to forgo their use, and by some other means to give us knowledge which we can attain by them. - Galileo Galilei
Build Logs: Tophat (in progress), DNAF | Useful Links: How To: Choosing Your Storage Devices and Configuration, Case Study: RAID Tolerance to Failure, Reducing Single Points of Failure in Redundant Storage , Why Choose an SSD?, ZFS From A to Z (Eric1024), Advanced RAID: Survival Rates, Flashing LSI RAID Cards (alpenwasser), SAN and Storage Networking

Link to comment
Share on other sites

Link to post
Share on other sites

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

Link to comment
Share on other sites

Link to post
Share on other sites

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

I still use Anti Virus software, but I only stick with ESET now at this point (They asked me to send them information via Twitter now). I treat it as only another layer. 

Link to comment
Share on other sites

Link to post
Share on other sites

Can't believe this doesn't get more attention...

AV has been a joke for a long time, still use it though.

Yes, I noticed posts get thousands of views yet this one is limping along. 

 

I love Sam Bowne. He makes ipv6 floods and hacking so enjoyable     :)

Yeah, I love listening to his talks even though it is more basic. I am not a hacker myself, however I am interested in it. I am seriously considering taking his Ethical Hacking class at the College he teaches in in the future to expand my skillset. For now I am taking an IT Technician course which should provide me with some valuable knowledge (Or be re-taught some of what I already learned, in a different approach)

Link to comment
Share on other sites

Link to post
Share on other sites

I use free anti-virus software and it's called LINUX!!!

Computer users fall into two groups:
those that do backups
those that have never had a hard drive fail.

Link to comment
Share on other sites

Link to post
Share on other sites

I use free anti-virus software and it's called LINUX!!!

hehehhehehe

this is bait

Link to comment
Share on other sites

Link to post
Share on other sites

Can't you just set the anti-virus to constant scan?

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to comment
Share on other sites

Link to post
Share on other sites

Can't you just set the anti-virus to constant scan?

Not that I know of. Just to remind you, we are talking Heuristics Scanners / Real Time Scanners. Sorry for my late reply, I am busy moving into my new place.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×