Jump to content




BLAST AntiMalware Suite - 'Yet another' string.find antivirus

lua

24 replies to this topic

#1 minebuild02

  • Members
  • 97 posts

Posted 02 August 2016 - 04:16 PM

The BLAST AntiMalware Suite is an innovation in the field of CC antimalware programs.


Features of the On-Demand Scanner:

3 modes of scanning: Choose between 3 databases - standard signature analysis, behavioural (scans for generic functions/code statements) signature analysis or the URL finder algorithm.

An extensive database: A (somewhat) lot of time spent to scavenge the ComputerCraft malware, categorize it and choose the signatures to input.

An extensive classification system: Depending on a malicious program's behaviour, it is classified as a Virus, a Worm or as a program of another category.

A large help page, detailing all the algorithms and parameters used by the program, as well as explaining the classification.


Features of the Real-Time Security Driver:

Startup file protection: Reroutes the filesystem to deny write access to startup file.

Real-time detection: Detects malicious code loaded as Lua chunks.

Network screen: Reroutes the HTTP API to disable downloading of known malicious programs.



Changelog:

v1.0 | Release | Initial (no changes): Initial release

v1.1 | Update | Bugfix (Requested): Fixed some signatures, should be able to work on 1.6+ without errors now

v1.2 | Release | New package released: Released the Real-Time Security driver!

v1.3 | Update | CRITICAL: Fixed a huge bug, added 1 signature

v1.4 | Release | New package released: Released the installer!

v1.5 | Update | New feature: More functions are now scanned by the RTS driver

v1.6 | Update | Bugfix (Requested): Fixed a bug in RTS' loadfile function



About the RTS driver:

Basically it is a program that modifies the global environment with it's own functions.

They do not let programs modify the startup file, and scan the Lua chunks loaded into a program to find a virus.

Also it includes a firewall of some kind that prevents viruses from being downloaded.


Planned features:

Sandboxing - currently WIP, will be released as a separate program

Checksums - will be provided in 2.0 or possibly earlier

Trusted programs/false positives list - planned to be added sometime soon


Download now!

Installer: pastebin get tp9yYxgV installer

Run the installer without arguments to get help.

Made by minebuild02. Contributed to and beta-tested by RyuuMasatoKai.


Edited by minebuild02, 12 August 2016 - 10:11 AM.


#2 HDeffo

  • Members
  • 214 posts

Posted 02 August 2016 - 04:25 PM

Well since someone is actually attempting to make a solid antimalware (regardless of how useful that actually is) a few comments

1) have your program scan for potential "avoidence" code and chop it out before scanning e.g. os.pullEvent = os["pullEvent".."Raw"]

2) on that note your program should also remove all extra characters from a scan e.g. spaces and semi colons

3) instead of scanning for exact matches first compare checksums then use a custom function for variable scans e.g. this file is 87% similar to a known virus

4) you also need a method for users to either trust or distrust programs this will add to your database and help give programs you don't need to do a full comprehensive scan on if enough people trust it

#3 minebuild02

  • Members
  • 97 posts

Posted 02 August 2016 - 04:28 PM

View PostHDeffo, on 02 August 2016 - 04:25 PM, said:

Well since someone is actually attempting to make a solid antimalware (regardless of how useful that actually is) a few comments

1) have your program scan for potential "avoidence" code and chop it out before scanning e.g. os.pullEvent = os["pullEvent".."Raw"]

2) on that note your program should also remove all extra characters from a scan e.g. spaces and semi colons

3) instead of scanning for exact matches first compare checksums then use a custom function for variable scans e.g. this file is 87% similar to a known virus

4) you also need a method for users to either trust or distrust programs this will add to your database and help give programs you don't need to do a full comprehensive scan on if enough people trust it

Thanks for suggestions. Yes, I am trying to make a real antivirus. And I'm thinking about a true behavioural analysis algorithm (sandboxing).

Edited by minebuild02, 02 August 2016 - 04:28 PM.


#4 Cloud Ninja

  • Members
  • 361 posts

Posted 02 August 2016 - 06:46 PM

When i run it, i get the error on line 178: nesting of [[...]] is deprecated.

#5 minebuild02

  • Members
  • 97 posts

Posted 03 August 2016 - 11:38 AM

View PostCloud Ninja, on 02 August 2016 - 06:46 PM, said:

When i run it, i get the error on line 178: nesting of [[...]] is deprecated.
Noted. This is an error in some of the signatures, ROS AM was made on CraftOS 1.5. The database will be reviewed and the signatures will be replaced
Version 1.1 fixing this bug is now out!

Edited by minebuild02, 03 August 2016 - 11:44 AM.


#6 HDeffo

  • Members
  • 214 posts

Posted 05 August 2016 - 01:50 AM

You might also want to add a section that checks for old exploits as well as one's which could eventually be exploits most relevant of which i can think of would be

virus = function(t,k)
   if k=="gsub" and not hacked then
      --run code here
   end
   return string[k]()
end
getmetatable("").index = virus

In old versions this would infect any computer that turned on (I left an important part out so no one can just copy it).To check something like that in the past you simply needed to run

string.dump( ("").gsub ) == "gsub"
True means it's not hacked. But now if anyone did hijack the string functions a check like that would result in an error on a good system so you would need to wrap it in a pcall. To clean the system you run

getmetatable("").index = string

Change the first part to whatever the entry point is in that version. I refer to the string metatable only because as far as I have seen that's the only vulnerability that CC has had pop up several times and which could again. Gsub is run within the bios so that's usually the entry point for any viruses of that nature I've seen

#7 minebuild02

  • Members
  • 97 posts

Posted 05 August 2016 - 09:37 AM

View PostHDeffo, on 05 August 2016 - 01:50 AM, said:

--snip--
Will think of that. Could you send the full code to me in a PM so I could review and classify it?
EDIT: Latest version of CC prevents access to the string metatable.

Edited by minebuild02, 05 August 2016 - 09:45 AM.


#8 Piorjade

  • Members
  • 244 posts
  • LocationComputer, Germany

Posted 05 August 2016 - 10:13 AM

I really would like to include that in my OS, which will soon get movable windows.

It will probably be pre-installed so users are able to delete it.

The question is if you want me to do this and if yes, if this really is useful/stable at this state?

#9 HDeffo

  • Members
  • 214 posts

Posted 05 August 2016 - 12:10 PM

Yeah the latest version has it blocked however it didn't use to be and prior to that there were other various ways of getting to it. Honestly, I'm fully expecting it to be exposed somehow again in a future version by accident

#10 minebuild02

  • Members
  • 97 posts

Posted 06 August 2016 - 04:04 PM

View PostPiorjade, on 05 August 2016 - 10:13 AM, said:

I really would like to include that in my OS, which will soon get movable windows.

It will probably be pre-installed so users are able to delete it.

The question is if you want me to do this and if yes, if this really is useful/stable at this state?

Yes, it is stable and useful. Do it!

View PostHDeffo, on 05 August 2016 - 12:10 PM, said:

Yeah the latest version has it blocked however it didn't use to be and prior to that there were other various ways of getting to it. Honestly, I'm fully expecting it to be exposed somehow again in a future version by accident

I'll think of something, but the fix gives me a VM error in the emulator

#11 minebuild02

  • Members
  • 97 posts

Posted 06 August 2016 - 05:19 PM

ReactOS AntiMalware is now supplemented by a RTS driver! Just run it once per boot. As always I'm open to suggestions.

Edited by minebuild02, 06 August 2016 - 05:20 PM.


#12 minebuild02

  • Members
  • 97 posts

Posted 07 August 2016 - 09:25 AM

1.4 of the Suite is now out! It now has a unified installer!
Also I have fixed a huge bug in one of the signatures that caused any file to be detected as a dropper of one of the viruses, and added a ransomware signature.
Oh, and 1.5 is already out. Checksums are on their way...

Edited by minebuild02, 07 August 2016 - 09:40 AM.


#13 FoxData

  • Members
  • 159 posts

Posted 07 August 2016 - 05:06 PM

ReactOS is a free OS that looks like Windows.

#14 minebuild02

  • Members
  • 97 posts

Posted 07 August 2016 - 06:46 PM

View PostFoxData, on 07 August 2016 - 05:06 PM, said:

ReactOS is a free OS that looks like Windows.
I know... It's a temporary name. Will be renamed soon to resolve copyright issues
Renamed.

Edited by minebuild02, 08 August 2016 - 09:09 AM.


#15 Piorjade

  • Members
  • 244 posts
  • LocationComputer, Germany

Posted 09 August 2016 - 10:25 PM

K I got windows working 'n stuff (they work in the background too but have to be minimized first)... the only thing is if this works completely safe, so I'm going to test this before even releasing the new version of my OS :D/>
Btw it definitely will be a standalone program, which can be deleted by the user. I have 2 reasons for that:
- You say you'll create your own OS which will include your program
- Maybe people don't want to have it installed, so they easily can delete it
And here a quick preview of the window system:
Spoiler

Edited by Piorjade, 09 August 2016 - 10:28 PM.


#16 Piorjade

  • Members
  • 244 posts
  • LocationComputer, Germany

Posted 09 August 2016 - 10:56 PM

Ok here is my testing result:
Using RTS in the shell leads to crashing everywhere (no matter what I do, it says this: rts:335: attempt to concatenate nil and string (2 times) and then the OS shuts down)

Then I wrote a sample code (I don't know if that's marked as a virus :/):

os.pullEvent = os.pullEventRaw
while true do
  S = ""
  for i=1, 50 do
    S = S..math.random(0,1)
  end
  write(S)
  sleep(0)
end

And used scan on it:

Using "behaviour" = Checking /tst
scan:386: unfinished capture
Using "link" = Checking /tst
File is clean!
Using "def" = (Same as above)

So I'd say if you fix the RTS (if you can), I'd "inject" it into the shell app, which first loads the RTS and then shell.

Or if you'd fix scan(behaviour), I'd include it as a standalone application, which the user can execute and check a downloaded file (this would be extremely useful because many people like to use Firewolf and I made a browser myself, which will be released soon and included in my OS)

#17 Gorzoid

  • Members
  • 44 posts

Posted 12 August 2016 - 01:00 AM

One thing you may want to try out is compiling the virus with loadstring then string.dump'ing the function into a compiled dump containing all strings, all the code etc. This means that syntax obfuscation means is virtually useless because the lua compiler removes it all. Take a look at my unfinished bytecode library I posted if you want to see how you can read lua dumps(yes I know it's very big, if cc used lua5.3 I could do it all using string.pack

#18 minebuild02

  • Members
  • 97 posts

Posted 12 August 2016 - 10:04 AM

View PostPiorjade, on 09 August 2016 - 10:56 PM, said:

Ok here is my testing result:
Using RTS in the shell leads to crashing everywhere (no matter what I do, it says this: rts:335: attempt to concatenate nil and string (2 times) and then the OS shuts down)

Then I wrote a sample code (I don't know if that's marked as a virus :/):

os.pullEvent = os.pullEventRaw
while true do
  S = ""
  for i=1, 50 do
	S = S..math.random(0,1)
  end
  write(S)
  sleep(0)
end

And used scan on it:

Using "behaviour" = Checking /tst
scan:386: unfinished capture
Using "link" = Checking /tst
File is clean!
Using "def" = (Same as above)

So I'd say if you fix the RTS (if you can), I'd "inject" it into the shell app, which first loads the RTS and then shell.

Or if you'd fix scan(behaviour), I'd include it as a standalone application, which the user can execute and check a downloaded file (this would be extremely useful because many people like to use Firewolf and I made a browser myself, which will be released soon and included in my OS)
I'll begin work immediately

#19 minebuild02

  • Members
  • 97 posts

Posted 12 August 2016 - 10:09 AM

1.6 is out, scan will be updated soon

#20 minebuild02

  • Members
  • 97 posts

Posted 21 August 2016 - 09:14 AM

Have no way to fix the behavioural scanner for now. Definitions will be updated





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users