How BugHunter Works; for those interested.

[Red Rufus]

Dustin Cook wrote:
> BugHunter uses a proprietary checksum algorithm that I developed over
> 14 years ago. In an effort to reduce scantime, BugHunter scans files
> ONLY if they have a known filelength; IE: Known to BugHunter as
> potentially being malicious. Once BugHunter takes a scan of the
> suspect file, it gets two 32bit numbers in a specific order. If the
> numbers match the record as well as the filelength in the correct
> order, BugHunter considers it a valid match and looks the information
> up to give it a more descriptive name, of course that depends on the
> record having a matching description in one of the buginfo files.
>
>
> I hope this will help with any questions you may have about what
> BugHunter is, and what it is not. If you have any questions, I will
> monitor this thread; you may respond here or in email.
>
> Thanks for reading!

No thanks required on account I'm not interested.

[Dustin Cook]

"Red Rufus" <Rufus_The_Red@here> wrote in
news:46b523f2$1@news.cuneo2lemon.net:

> Dustin Cook wrote:
>> BugHunter uses a proprietary checksum algorithm that I developed over
>> 14 years ago. In an effort to reduce scantime, BugHunter scans files
>> ONLY if they have a known filelength; IE: Known to BugHunter as
>> potentially being malicious. Once BugHunter takes a scan of the
>> suspect file, it gets two 32bit numbers in a specific order. If the
>> numbers match the record as well as the filelength in the correct
>> order, BugHunter considers it a valid match and looks the information
>> up to give it a more descriptive name, of course that depends on the
>> record having a matching description in one of the buginfo files.
>>
>>
>> I hope this will help with any questions you may have about what
>> BugHunter is, and what it is not. If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>>
>> Thanks for reading!
>
> No thanks required on account I'm not interested.

That's perfectly okay too. You were interested enough to bother wasting
your time to tell me your not interested. LoL. Good morning to you in
any event!


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

4Q <paul_zest@hushmail.com> wrote in
news:1186210186.934565.261110@q75g2000hsh.googlegr oups.com:

> Dustin Cook wrote:
>> 4Q <paul_zest@hushmail.com> wrote in
>> news:1186178765.339064.121310@19g2000hsx.googlegro ups.com:
>>
>> > Dustbin Cook wrote:
>> >> BugHunter uses a proprietary checksum algorithm that I developed
>> >> over 14 years ago.
>
> <snip>
>
>>
>> Come back with substance, lamer.
>>
>
> Okay, how about this.

Hahahaha. Okay then.

>> Oh, and you might as well update your page, unless you like being
>> punched repeatedly in the nose, not to mention how stupid you now
>> appear to be, what with your claims of string scanning.. HAHAHA. I
>> told you originally it's not a string scanner. The algorithm is
>> clearly more advanced than your capable of understanding. Haha.
>>
>
> You stated I had no understanding of
> how checksummers worked a while back,
> along with this assumption you also

Are you having trouble comprehending what's written or something? Your
getting very sloppy in your attempts to skate around my righteous
assaults. *grin*. I said you claimed BugHunter is a string scanner and
later you said it was a checksummer or a string scanner, basically you
didn't know. I've been able to prove that with your own doing, dummy.

I said substance dummy, bring it!


> is a computer science / mathematics
> cookbook full of "algorithms"

Out of curiosity, what concern is it really of yours how it works
specifically? I don't see symantec or anyone else providing such
information to anonymous persons. Why do you think I should treat you any
differently? What makes you think your entitled or special in some
fashion?

> See if you can get one of your groundhog
> friends to put on a Harry Potter wizards

*awe*. I 0wned you when I explained the lighting situation and my amusing
nickname for this area. Give it up, I got you with your own medicine.
Laugh as I laugh.

Once again, your efforts to troll and derail this thread aren't going so
well. You wanted to know how it worked, you didn't have the mental
capacity to figure it out, obviously. So I've told you in a general
fashion what's going on. I've provided you more information in fact than
anyone else who writes software like this would. I really don't
understand why you think your entitled to access to it's source code, or
specific knowledge of how it works? The general description should be
adequate. It's more detailed than symantec would offer an anonymous
person such as yourself.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[4Q]

Dustin Cook wrote:
> 4Q <paul_zest@hushmail.com> wrote in
> news:1186210186.934565.261110@q75g2000hsh.googlegr oups.com:
>
> > Dustin Cook wrote:
> >> 4Q <paul_zest@hushmail.com> wrote in
> >> news:1186178765.339064.121310@19g2000hsx.googlegro ups.com:
> >>
> >> > Dustbin Cook wrote:
> >> >> BugHunter uses a proprietary checksum algorithm that I developed
> >> >> over 14 years ago.
> >
> > <snip>
>
>
> >>
> >> Come back with substance, lamer.
> >>
> >
> > Okay, how about this.
>
> Hahahaha. Okay then.
>
> >> Oh, and you might as well update your page, unless you like being
> >> punched repeatedly in the nose, not to mention how stupid you now
> >> appear to be, what with your claims of string scanning.. HAHAHA. I
> >> told you originally it's not a string scanner. The algorithm is
> >> clearly more advanced than your capable of understanding. Haha.
> >>
> >
> > You stated I had no understanding of
> > how checksummers worked a while back,
> > along with this assumption you also
>
> Are you having trouble comprehending what's written or something? Your
> getting very sloppy in your attempts to skate around my righteous
> assaults. *grin*. I said you claimed BugHunter is a string scanner and
> later you said it was a checksummer or a string scanner, basically you
> didn't know. I've been able to prove that with your own doing, dummy.
>
> I said substance dummy, bring it!
>
>
> > is a computer science / mathematics
> > cookbook full of "algorithms"
>
> Out of curiosity, what concern is it really of yours how it works
> specifically? I don't see symantec or anyone else providing such
> information to anonymous persons. Why do you think I should treat you any
> differently? What makes you think your entitled or special in some
> fashion?
>
> > See if you can get one of your groundhog
> > friends to put on a Harry Potter wizards
>
> *awe*. I 0wned you when I explained the lighting situation and my amusing
> nickname for this area. Give it up, I got you with your own medicine.
> Laugh as I laugh.
>
> Once again, your efforts to troll and derail this thread aren't going so
> well. You wanted to know how it worked, you didn't have the mental
> capacity to figure it out, obviously. So I've told you in a general
> fashion what's going on. I've provided you more information in fact than
> anyone else who writes software like this would. I really don't
> understand why you think your entitled to access to it's source code, or
> specific knowledge of how it works? The general description should be
> adequate. It's more detailed than symantec would offer an anonymous
> person such as yourself.
>

You forgot to include AUK. I thought
the content of your kookie post would
be of interested for future reference
so I've kindly reposted it for you.


4Q

[4Q]

Dustbin Cook wrote:
> 4Q <paul_zest@hushmail.com> wrote in
> news:1186210186.934565.261110@q75g2000hsh.googlegr oups.com:
>

<snip inane inner working of Dust****s
diseased mind>

>
> Out of curiosity, what concern is it really of yours how it works
> specifically?

Because you started a thread stating
"How Bug**** works; for those interested"
then you made a big song and dance about
fielding questions from anyone, then
thanked everyone for attending your
little marketing campaign.

So there ya go, I'm asking one of them
questions you invited us all to participate
in and I'm interested "How Bug**** works"
I know you are a thick ****snot but I
thought you might have figured it out,
without having to wave a magic wand over
the screen?!

Also I'd like to see some Assembly code
that you keep telling us you are capable
of writing. I mean I've put my Assembly
code up for scrutiny and challenged you
show us all you can analyse it. But I
have a feeling you are bull****ing us.


4Q

[Russg]

"Andy Walker" <> wrote in message news:
> Russg wrote:
>
> >I didn't know the
> >difference between gophers and groundhogs.
> >Both are under ground living pests in people's yards.
>
> Not really. A groundhog spends most of its time above ground
> foraging. Gophers live mostly underground, but do come up for a bit
> of fresh air from time to time.
Peterson Field Guide to Mammals:
Gophers have a bare, ratlike, tail. Are smaller than
Ground Hogs. There are no gophers where I live.
Gophers are out west, some in Georgia to Florida.
There are ground hogs in Ohio, but no gophers.
Woodchucks have a bushy tail, not as big and bushy as a squirel.

[kurt wismer]

Andy Walker wrote:
> Dustin Cook wrote:
>
>> If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>
> Ok, say I'm a malware writer and want to evade your program. It seems
> to me that all I have to do is pad a few kilobytes of garbage into my
> program and randomly modify the size every now an then. I could evade
> your program for a very long time under that scenario. Is that
> correct?

if you're willing to manually change your malware in that way on a
regular basis then yes you'd probably be able to evade bughunter - not
to mention a number of other products... zlob anyone?

if the algorithm for producing the transformations is known then the
complexity of detecting all forms is comparable to polymorphic (or
perhaps metamorphic depending on the complexity of the transformations)
detection...

if the algorithm is not known (server-side polymorphism) or if the
transformations are not algorithmic (manual transformation) then the
complexity is as yet unbounded and there's no good solution for it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[kurt wismer]

Andy Walker wrote:
[snip]
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time... ;-)

a *complete* deconstruction of the malware (or any program, really)
falls outside the realm of computability as it is reducible to the
halting problem...

bearing that in mind, there is technology that approaches complete
deconstruction but it's not appropriate for productization because of
the level of expertise required to validate the results or tweak/guide
the process - it's usually used by av research labs to help automate the
processing of malware samples...

the more you dumb down the human requirements, the less complete the
deconstruction and the closer you get to heuristics...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Dustin Cook]

"Russg" <russgilb@MUNGEsbcglobal.net> wrote in
news:%DRsi.12542$eY.8974@newssvr13.news.prodigy.ne t:

>
> "Dustin Cook" <> wrote in message news:
>> BugHunter uses a proprietary checksum algorithm that I developed over
>> 14 years ago. In an effort to reduce scantime, BugHunter scans files
>> ONLY if they have a known filelength; IE: Known to BugHunter as
>> potentially being malicious. Once BugHunter takes a scan of the
>> suspect file, it gets two 32bit numbers in a specific order. If the
>> numbers match the record as well as the filelength in the correct
>> order, BugHunter considers it a valid match and looks the information
>> up to give it a more descriptive name, of course that depends on the
>> record having a matching description in one of the buginfo files.
>>
>>
>> I hope this will help with any questions you may have about what
>> BugHunter is, and what it is not. If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>>
>> Thanks for reading!
>>
> Question comes to mind. Where do you get samples to get your ID CRC
> and length? Someone at one of the AV vendors?

Apologies for being a smartass about this question earlier. I acquire
suspected malware samples from a variety of sources. If you submit
samples to sites like

http://scanner.virus.org/
http://virusscan.jotti.org/
http://www.virustotal.com/

I will probably get them around the same time as everyone else in the
antimalware community does. Trust is an important issue obviously as
these are potentially dangerous executables. It's not a matter of a
person providing me samples, but the community itself. 4Q likes to claim
i'm untrustworthy, yet people on both sides of the fence trust me. It
doesn't make sense to anyone besides 4q in his paranoid state of mind.

Another method I do, as do many others, Is to surf with unsafe browsers
on sites that I know are not safe. I'm also into collecting screensavers,
and I'll even play user for a day and get things like kazaa and "trust"
the filenames are real, and infect my virtual workstation all day.

Another option is the bots and various trojans sent these days via email,
typically as a greeting card. I can't thank people enough for providing
spamsites my email address. They send the junk right to me, I don't even
have to look.

I also maintain various accounts on social networking sites, that will
glady accept unknown executables from anyone. Happily! It'll even accept
friends that are bots. LoL. It'll fall for anything that may result in an
infection of some kind.

I have bots that travel on irc, they accept dcc file sends from
strangers. Any strangers, send whatever junk you want.

I have bots monitor specific email addresses I have setup to capture
fresh samples.

I said something about shells remember? Well, this is all done mainly
using them. It's why 4Q's so pissed off. He has an idea of the bandwidth
and server cpu power I have access too, and i won't share. hehehehe.

Theres always a user who gets infected with something new, so they send
it along to me for analysis. I do my best to help them clear the issue up
over email, if I can. Since I test the little buggers in a virtual
environment where they can change whatever they like, but theyre going to
be leaving footprints while doing so. I also dissassemble them and take
notes for later. Most of the stuff is really pretty lousy programming. I
wrote some bad code back in the day myself, but these trojans/spybots etc
are really poorly written.

I suppose with so many executable variants of the same thing, they can
afford for it to work on some systems in a hit and miss fashion.

If you have any other serious questions, I'll try to answer them for you.

Have a good one!





--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f931q4$r8m$2
@registered.motzarella.org:

> Andy Walker wrote:
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>> monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>
> if you're willing to manually change your malware in that way on a
> regular basis then yes you'd probably be able to evade bughunter - not
> to mention a number of other products... zlob anyone?

Hi Kurt. Thanks for mentioning what should be obvious to anyone.

No offense Andy, but BugHunter can be beaten using the same tricks you'd
use on other products. It's not foolproof either.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml