Author Topic: Potentially Unwanted ;-)  (Read 4139 times)

0 Members and 1 Guest are viewing this topic.

January 19, 2008, 10:41:56 am
Read 4139 times

sowhat-x

  • Guest
...he-he,I really don't think there's much too say regarding this...
as a start,have a look for yourself and laugh...

http://www.peid.info/forum/viewtopic.php?t=810
http://www.sophos.com/security/analyses/peid.html


January 19, 2008, 12:52:04 pm
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Xaxaxa (laugh in Serbian_cyrillic.lng)

Well, no comment here either:
http://www.prevx.com/filenames/X1361658098396660580-0/MALZILLA.EXE.html

Code: [Select]
# This Process Creates Other Processes On Disk
# This Process sends MIME Email
# This Process Contains User Mode Rootkit Functionality
Process created on the disk?
Sending emails?
Rootkit?  <- I didn't know I'm so good coder  ;D

January 19, 2008, 11:18:20 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
I'd like to think they have detected both programs through an automated process, and not through one of their staff making a mistake like this. Then again, I guess both are bad. Either of you going to try and contact Sophos?

January 21, 2008, 04:48:42 am
Reply #3

sowhat-x

  • Guest
Xaxaxa -> it's the same here!...   :)

What in the world,Sophos' description merely stated:"...a program for the Windows platform".
Yeah,is that so..and I thought it was for SGI Irix or something...
But Prevx,gee,now that's really an achievement...made me a bit 'jealous' to be honest:
changes exe filesize,sends mails over the net,hides stuff and what else...
now that's not malware - that's a real threat to the human nation!  ;D  :D

Regarding contacting them,don't know...maybe,but the general feeling was...
does it really worth it / makes a difference?
For example,have a look here at something that got noticed recently,
in Peter Szor's infamous book "The Art of Computer Virus Research and Defense":
http://vx.netlux.org/lib/aps00.html
(Warning:Be patient if on slow/older connection types,it will take some time to load...)

...Scroll down in the "15.4.2. Unpacking" chapter,where it states:
Quote
"It is often difficult to figure out what kind of wrapper is used on a file.
Tools such as PEID attack this problem by using signatures to detect the packer.
Unfortunately, PEID is not an official tool and is associated with the hacking community.
I definitely do not recommend that you use such tools on a production system,
but you can give them a shot on your dedicated research system.
PEID can identify nearly 500 different wrapper variations,
which can be a helpful start in getting familiar with them.

Note:
Always beware what you download and use from the Internet.
Even professional tools are often Trojanized.So be advised!
In addition,some unpacker programs might run the code in order to unpack it.
Such unpackers can execute malicious code as a result of unpacking,so you need to be careful.

As a best shot, you can attach a debugger,
such as TD (Turbo Debugger) or OllyDBG (both of them are free debuggers),
to a running process and dump the process address space yourself.
This trick can help you to deal successfully with encrypted and polymorphic code."

Not an official tool...
(official by...whom? Symantec itself I assume?)...
Associated with the 'hacking' community...
(yeah,we should all end up in jail - exactly for not being 'official' as per above...)
Not to be used under production systems...
(...hmm,now this reminds somehow of Sophos statements...nah,probably a coincidence...)

But hey,they're doing us a favor here...or actually,two favors:

1)No problem with Turbo Debugger and even more with...OllyDbg.
Especially for the latter one...lol,no comments here...
2)Although such 'tools accosiated with the hacking community',
are per statement "not recommended in production systems"...
oh well,so what...if you have a "dedicated research system",
then you can play around with them at wish!  :D

Don't consider the following as an..."official response from Team PEiD",lol...
It's simply my point of view as a peripheral/supporting member...
after all,the 'official' thread made in PEiD's forum,
shows quite in clear what came to the mind of most of us there...

It's fairly obvious it's politics and marketing speaking here.
Thereby,actual question is not if Sophos/Symantec etc should be contacted...
that's would be quite easy to do.
But if it really worths bothering with this type of 'politics' in the first place:
as PEiD has always been a freeware tool made for the sake of making life easier,
for researchers and end-users...or more specifically,
for what all of us simply call as the "community"...as this is the spirit of it all.
But well,by 2008,I think we've all got a quite good understanding of monopolies' marketing:
whatever it's not "official" and commercially exploited by them,
it must be defined with the addition of the word "hacking" in front of it...

June 19, 2008, 07:20:43 pm
Reply #4

sowhat-x

  • Guest
Just stumbled upon this one,rotflmao...  ::)
http://www.auditmypc.com/process/peid.asp

What I especially enjoyed,was the following part,he-he...
Quote
peid.exe is considered to be a security risk,
not only because antivirus programs flag zyklobot trojan as a trojan,
but also because other sites consider it a Trojan as well.
Now that's what I would call a deeply democratic attitude,ha-ha...
"...whatever the people says..." - and other sites as well...  :)

Seems like LordPE also didn't manage to escape from the..."zyklobot" attack!  ;)
http://www.auditmypc.com/process/lordpe.asp

June 19, 2008, 10:07:23 pm
Reply #5

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248