Posted: Wed Aug 03, 2016 7:17 pm Post subject: FossHub/MBR overwriting malware
So most of you must have heard about the fosshub compromise and this 'new' MBR overwriting malware. What i really find interesting about this whole thing is the virustotal report for the malware files, Fosshub has cleaned up all of the files now but watch this video to see the guy analyze/fix the malware
What's interesting in that virustotal report (in the video) is only 3 antiviruses are detecting the malware and those are only generic detections. I can't believe it! surely a malware wiping out your MBR must be triggering AVs left and right, right ? I mean they go apecrazy when a trainer is accessing another process, an MBR is a big fucking deal so it must trigger something, anything? NOPE
The funny thing is all AVs are going to start pushing updates and NOW detect it as malware, man that's fucking stupid. Fosshub has cleaned up the site anyway and this malware is going to be history soon, what's the point of an AV then when it can't protect you in the first place?
This simply strengthens the position of AVs as nothing more than intrusive malware hogging system resources and interfering with normal processes. They are just a blanket of false security.
Anyone relying on their common sense instead of a shitty made for money app would instantly see the big red flags in that malware exe. No publisher information, the elevated privilege status of the malware. But most of all, people with AVs were just as unsecure as anyone not using it!
PS: I am not infected, i didn't know about fosshub until now but i am still writing this angry rant because i am sick of AVs fucking up my beautiful trainers functionality and i am sick of explaining to idiots that AVs are just beautifully wrapped malware that them detecting my trainers as malware is just a false-positive. _________________
Yes you are right about an antivirus but still you have to admit that not all are capable of fixing their own computer when they get infected thus an antivirus is still a good deterrent to such problem.
When heuristic scanning was introduce by TBAV (as far as I know) a friend and I created a virus that would surely bypass such detection thus removing obvious codes that would make it an obvious virus. That idea came by when we started reverse engineering a polymorphic virus.
All antivirus applications are susceptible to a much well thought virus. So you just have to change your approach on your trainers so that it may not be detected as false positive and it is not easy to do so since there are more paranoid antivirus than ever that would slowdown any computers regardless. But I am optimistic it is still not impossible to do so. _________________
I don't think antivirus helps the average user including the ones who can't fix their computers.
This happened really recently to me (just a few months ago), my class-mate asked me to fix his computer because he has viruses on them and his internet doesn't work.
So i went to his home expecting really evil type of malware junk that is eating so much resources, his internet is not working. I must have looked at the task manager processes, his system drives, network center for a good 20 or so minutes completely clueless why it wasn't working. There was no malware, none that i could find.
It did not make sense, he had AVG and 360totalsecurity antiviruses installed, both up-to-date - how could he still be infected ?. I was really impressed at this rootkit/invisible malware managing to avoid two "famous" "amazing" antiviruses.
I don't know what i thought at the time but i decided to uninstall both the antiviruses. I was more certain than death and taxes that they weren't helping the situation, they never have. Lo and behold, miracle of miracles, the moment i uninstalled them, that network computer finding network connection icon appeared and his internet STARTED WORKING!!.
I told him to stay the fuck away from antiviruses even if it means he gets infected, at least the malware won't fuck his internet.
That's not an isolated event. I have to use my university computers for doing stuff and this one in particular had so much malware, i was really scared of my credentials being stolen or a keylogger in there somewhere. It doesn't help that the only account available is a limited one without any privileges so i couldn't clean it up. I had a lot of faith in malwarebytes antimalware, so installed that and let it scan. It did manage to find something and also cleaned something but then it said to clean them all, i had to buy it or some shit hahaaaaa. This worthless piece of software couldn't detect the obvious malware i could see in my task manager, it was right fucking there. It only found some PUPs and registry keys...
It is impossibleto do when it comes to trainers. You know why ? because there isn't any specific detection or any detection at all. They simply have a lot of prejudice against trainers. Antiviruses have blacklisted two APIs that are integral part of every trainer. WriteProcessMemory and the DLL injection path.
I wish i was talking out of my ass about this but no, back in 2014, me and my team-mate iNVOKE sent emails to several of the antivirus companies which were detecting our trainers.
As much as i hate to admit, Norton's support was the most helpful and friendly, they suggested we grab a digital cert and apply to our trainers so they can whitelist it or we can send them each of our trainer EVERYTIME we updated for them to whitelist.
Their detection was based on the basis of POPULARITY of the software, if an exe is unknown/not used by many/not encountered a lot by their antivirus, then IT WOULD BE GIVEN A MALWARE/PUP designation automatically!.
F-secure also whitelisted our trainer but they said we had to send everyone of our trainer each time we did a single byte change for their antivirus to stop detecting it. AND EVEN THEN, their antivirus would stop trainer from INJECTING/WORKING unless the user adds it to exception.
VIPRE outright denied and had the audacity to reply that the trainer we sent them was malware.
This trainer was well thought out and modified to evade detections, i figured out which bytes were triggering detections then either changed their sequence or encrypted them. Back in 2014, these two trainers had only one detection by VIPRE because they refused to remove their detection and said it was malware. Look now
So yes, it is possible to design an MBR overwriting virus that can avoid detection but when it comes to trainers, you're fucked.
You know where the real problem lies ? Nobody in the trainer industry is rich enough to sue these bastards or those rich enough can't be arsed, these big asshole antivirus companies are scared of fucking with other big companies. Ultimately, it is all a game of extortion. Norton was kind enough to tell me that if i bought their certificate, they would drop the detections. We just have to live with this antivirus mafia fucking our beautiful trainers and making us look like criminals _________________
Joined: 09 May 2003 Posts: 25793 Location: The netherlands
Posted: Sat Aug 06, 2016 2:48 am Post subject:
about the certificates, i believe they meant a microsoft codesigning certificate, not Norton's
of course, even then, they can still pick it up. (ce even has it's own name lol: Win32/HackTool.CheatEngine.AF)
and if your certificate is new then windows 10 will block your exe until enough people have ran it. (yes, windows10 tells microsofts servers which exes you run) _________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 43
Reputation: 470
