Sign in to follow this  
Followers 0
BasicOs

Are my AutoIt3 exe's infected

4 posts in this topic

#1 ·  Posted (edited)

Yes to the first question, and yes to the second. The reason AV companies just decide upon UPX as being bad is because that is a common signature, and the "lazy" way of getting it done.

JS

For sure, they can look for traces in many ways.

I made an Antivir for a group of customers, a long time ago(Echo/Bleah), and I know what it its looking for sigs, traces, reading Ram, Reading disk, fat, fixing mbr, accessing to bites level, and so on ...

If they work a little more, even they could identify some dangerous autit code directly after UPX.

Problem could evolve and take only months vir-makers make some changes, that could be really difficult to know what is dangerous or not. I will not explain how obviously.

I see in a future we should solve that problem by our selves helping to Avir companys, if they need, how to make some rules of what is dangerous and what not. As nobody knows better Autoit code than self-Scripters.(I hope that will not be necessary)

I think by example there is something made by Devs in eval() udf restrictions ....

Edited by BasicOs

Autoit.es - Foro Autoit en Español Word visitors Image Clustrmap image: - Football Spanish team - Spanish team: Casillas, Iniesta, Villa, Xavi, Puyol, Campdevilla, etc..Programando en Autoit+Html - Coding Autoit-Html - Arranca programas desde Internet - Preprocesador de Autoit a http

Share this post


Link to post
Share on other sites



For sure, they can look for traces in many ways.

I made an Antivir for a group of customers, a long time ago(Echo/Bleah), and I know what it its looking for sigs, traces, reading Ram, Reading disk, fat, fixing mbr, accessing to bites level, and so on ...

If they work a little more, even they could identify some dangerous autit code directly after UPX.

Problem could evolve and take only months vir-makers make some changes, that could be really difficult to know what is dangerous or not. I will not explain how obviously.

I see in a future we should solve that problem by our selves helping to Avir companys, if they need, how to make some rules of what is dangerous and what not. As nobody knows better Autoit code than self-Scripters.(I hope that will not be necessary)

I think by example there is something made by Devs in eval() udf restrictions ....

The Developers have certainly set an example by limiting functionality in some areas, but also Jon has already spoken with major AV companies and has been denied on his interest of sharing the AutoIt signature. Jon has tried on multiple occasions (as my understanding goes), but to no avail.

I do appreciate the response though,

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

The Developers have certainly set an example by limiting functionality in some areas, but also Jon has already spoken with major AV companies and has been denied on his interest of sharing the AutoIt signature. Jon has tried on multiple occasions (as my understanding goes), but to no avail.

I do appreciate the response though,

JS

Sorry,

I did not mean that because all signatures are the same for autoit engine and upx, I meant after upx+autoit engine+Scripting code.

How do they detect changes is the scripting code? they do now binary level but that check can be overriden, what happens then when the low level checking is not anymore working? ... that was what I was talking about in last post ..... I do not give more details because it is not a joke.

if some qualified Scripter wish, I can give details of:

The danger and how is this Antivirus-Bug working.

Exactly how they use the virus signatures.

How I think, that AntivirGbh soluted the false check, easily.

How next time it can became quite difficult even a headache for any antivir Company

I will not explain anymore, because I do not want to give a Virus-Making Lesson... of how the bug is.

:whistle:

P.S. Aha interface does not have problems with virus anyway, as there is no exe in client computer.


Autoit.es - Foro Autoit en Español Word visitors Image Clustrmap image: - Football Spanish team - Spanish team: Casillas, Iniesta, Villa, Xavi, Puyol, Campdevilla, etc..Programando en Autoit+Html - Coding Autoit-Html - Arranca programas desde Internet - Preprocesador de Autoit a http

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0