How BugHunter Works; for those interested.

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
@news.webtv.com:

> Dustin Cook wrote:
>
>> If you have any questions, I will
>>monitor this thread; you may respond here or in email.
>
> Ok, say I'm a malware writer and want to evade your program. It seems
> to me that all I have to do is pad a few kilobytes of garbage into my
> program and randomly modify the size every now an then. I could evade
> your program for a very long time under that scenario. Is that
> correct?
>

That's correct. That's exactly why we can't detect them all. Thousands upon
thousands of similiar varients, all written in HLL languages, so you have
to be very careful in IDing them.

It's not a flaw alone to BugHunter per say, thats the same tricks used to
evade virus scanners too.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Andy Walker]

Dustin Cook wrote:

>Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
>@news.webtv.com:
>
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>>monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>>
>
>That's correct. That's exactly why we can't detect them all. Thousands upon
>thousands of similiar varients, all written in HLL languages, so you have
>to be very careful in IDing them.
>
>It's not a flaw alone to BugHunter per say, thats the same tricks used to
>evade virus scanners too.

I understand what your saying, but some scanners take into account
other metrics like the existence of certain registry keys, or even the
structure of supporting files used as databases for the malware. A
complete deconstruction of the offending malware *could* produce
enough information to snare all its variants. Heh! but then who's got
the time... ;-)

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in
news:46b6205d.9107531@news.webtv.com:

> Dustin Cook wrote:
>
>>Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
>>@news.webtv.com:
>>
>>> Dustin Cook wrote:
>>>
>>>> If you have any questions, I will
>>>>monitor this thread; you may respond here or in email.
>>>
>>> Ok, say I'm a malware writer and want to evade your program. It
>>> seems to me that all I have to do is pad a few kilobytes of garbage
>>> into my program and randomly modify the size every now an then. I
>>> could evade your program for a very long time under that scenario.
>>> Is that correct?
>>>
>>
>>That's correct. That's exactly why we can't detect them all. Thousands
>>upon thousands of similiar varients, all written in HLL languages, so
>>you have to be very careful in IDing them.
>>
>>It's not a flaw alone to BugHunter per say, thats the same tricks used
>>to evade virus scanners too.
>
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time... ;-)
>

Alas.. another person who doesn't read the included documentation.. So
here goes:

http://bughunter.it-mate.co.uk/BUGFAQ.TXT

"Q: Why does BugHunter detect so few compared to others?
A: BugHunter *only* detects executables, and various vb, htm files.
it doesn't detect registry keys, subkeys, cookies or urls stored
in your favorites folder. As such, the amount of items BugHunter does
detect is very small in comparison."



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[kurt wismer]

Andy Walker wrote:
[snip]
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time... ;-)

a *complete* deconstruction of the malware (or any program, really)
falls outside the realm of computability as it is reducible to the
halting problem...

bearing that in mind, there is technology that approaches complete
deconstruction but it's not appropriate for productization because of
the level of expertise required to validate the results or tweak/guide
the process - it's usually used by av research labs to help automate the
processing of malware samples...

the more you dumb down the human requirements, the less complete the
deconstruction and the closer you get to heuristics...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f931pn$r8m$1
@registered.motzarella.org:

> Andy Walker wrote:
> [snip]
>> I understand what your saying, but some scanners take into account
>> other metrics like the existence of certain registry keys, or even the
>> structure of supporting files used as databases for the malware. A
>> complete deconstruction of the offending malware *could* produce
>> enough information to snare all its variants. Heh! but then who's got
>> the time... ;-)
>
> a *complete* deconstruction of the malware (or any program, really)
> falls outside the realm of computability as it is reducible to the
> halting problem...

Again, I want to thank you for stepping in and explaining the obvious.
BugHunter is not the only program which can be defeated using the tricks
Andy specified.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[kurt wismer]

Andy Walker wrote:
> Dustin Cook wrote:
>
>> If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>
> Ok, say I'm a malware writer and want to evade your program. It seems
> to me that all I have to do is pad a few kilobytes of garbage into my
> program and randomly modify the size every now an then. I could evade
> your program for a very long time under that scenario. Is that
> correct?

if you're willing to manually change your malware in that way on a
regular basis then yes you'd probably be able to evade bughunter - not
to mention a number of other products... zlob anyone?

if the algorithm for producing the transformations is known then the
complexity of detecting all forms is comparable to polymorphic (or
perhaps metamorphic depending on the complexity of the transformations)
detection...

if the algorithm is not known (server-side polymorphism) or if the
transformations are not algorithmic (manual transformation) then the
complexity is as yet unbounded and there's no good solution for it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f931q4$r8m$2
@registered.motzarella.org:

> Andy Walker wrote:
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>> monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>
> if you're willing to manually change your malware in that way on a
> regular basis then yes you'd probably be able to evade bughunter - not
> to mention a number of other products... zlob anyone?

Hi Kurt. Thanks for mentioning what should be obvious to anyone.

No offense Andy, but BugHunter can be beaten using the same tricks you'd
use on other products. It's not foolproof either.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Lew/+Silat]

Dustin Cook wrote:
> BugHunter uses a proprietary checksum algorithm that I developed over 14
> years ago. In an effort to reduce scantime, BugHunter scans files ONLY
> if they have a known filelength; IE: Known to BugHunter as potentially
> being malicious. Once BugHunter takes a scan of the suspect file, it
> gets two 32bit numbers in a specific order. If the numbers match the
> record as well as the filelength in the correct order, BugHunter
> considers it a valid match and looks the information up to give it a
> more descriptive name, of course that depends on the record having a
> matching description in one of the buginfo files.
>
>
> I hope this will help with any questions you may have about what
> BugHunter is, and what it is not. If you have any questions, I will
> monitor this thread; you may respond here or in email.
>
> Thanks for reading!

Thanks Dustin. Great little program..


--
Lew/+Silat

[Dustin Cook]

"Lew/+Silat" <Drafted1970number54SPAM@Invalid.com> wrote in
news:38ednSW5j8VFrinbnZ2dnUVZ_hGdnZ2d@comcast.com:

> Dustin Cook wrote:
>> BugHunter uses a proprietary checksum algorithm that I developed over
>> 14 years ago. In an effort to reduce scantime, BugHunter scans files
>> ONLY if they have a known filelength; IE: Known to BugHunter as
>> potentially being malicious. Once BugHunter takes a scan of the
>> suspect file, it gets two 32bit numbers in a specific order. If the
>> numbers match the record as well as the filelength in the correct
>> order, BugHunter considers it a valid match and looks the information
>> up to give it a more descriptive name, of course that depends on the
>> record having a matching description in one of the buginfo files.
>>
>>
>> I hope this will help with any questions you may have about what
>> BugHunter is, and what it is not. If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>>
>> Thanks for reading!
>
> Thanks Dustin. Great little program..
>
>

Thank You. A rather large update will be on the site withen 20 minutes
from the time this post goes live.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Red Rufus]

Dustin Cook wrote:
> BugHunter uses a proprietary checksum algorithm that I developed over
> 14 years ago. In an effort to reduce scantime, BugHunter scans files
> ONLY if they have a known filelength; IE: Known to BugHunter as
> potentially being malicious. Once BugHunter takes a scan of the
> suspect file, it gets two 32bit numbers in a specific order. If the
> numbers match the record as well as the filelength in the correct
> order, BugHunter considers it a valid match and looks the information
> up to give it a more descriptive name, of course that depends on the
> record having a matching description in one of the buginfo files.
>
>
> I hope this will help with any questions you may have about what
> BugHunter is, and what it is not. If you have any questions, I will
> monitor this thread; you may respond here or in email.
>
> Thanks for reading!

No thanks required on account I'm not interested.