How BugHunter Works; for those interested.

[Andy Walker]

Dustin Cook wrote:

>Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
>@news.webtv.com:
>
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>>monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>>
>
>That's correct. That's exactly why we can't detect them all. Thousands upon
>thousands of similiar varients, all written in HLL languages, so you have
>to be very careful in IDing them.
>
>It's not a flaw alone to BugHunter per say, thats the same tricks used to
>evade virus scanners too.

I understand what your saying, but some scanners take into account
other metrics like the existence of certain registry keys, or even the
structure of supporting files used as databases for the malware. A
complete deconstruction of the offending malware *could* produce
enough information to snare all its variants. Heh! but then who's got
the time... ;-)

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in
news:46b6205d.9107531@news.webtv.com:

> Dustin Cook wrote:
>
>>Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
>>@news.webtv.com:
>>
>>> Dustin Cook wrote:
>>>
>>>> If you have any questions, I will
>>>>monitor this thread; you may respond here or in email.
>>>
>>> Ok, say I'm a malware writer and want to evade your program. It
>>> seems to me that all I have to do is pad a few kilobytes of garbage
>>> into my program and randomly modify the size every now an then. I
>>> could evade your program for a very long time under that scenario.
>>> Is that correct?
>>>
>>
>>That's correct. That's exactly why we can't detect them all. Thousands
>>upon thousands of similiar varients, all written in HLL languages, so
>>you have to be very careful in IDing them.
>>
>>It's not a flaw alone to BugHunter per say, thats the same tricks used
>>to evade virus scanners too.
>
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time... ;-)
>

Alas.. another person who doesn't read the included documentation.. So
here goes:

http://bughunter.it-mate.co.uk/BUGFAQ.TXT

"Q: Why does BugHunter detect so few compared to others?
A: BugHunter *only* detects executables, and various vb, htm files.
it doesn't detect registry keys, subkeys, cookies or urls stored
in your favorites folder. As such, the amount of items BugHunter does
detect is very small in comparison."



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[kurt wismer]

Andy Walker wrote:
[snip]
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time... ;-)

a *complete* deconstruction of the malware (or any program, really)
falls outside the realm of computability as it is reducible to the
halting problem...

bearing that in mind, there is technology that approaches complete
deconstruction but it's not appropriate for productization because of
the level of expertise required to validate the results or tweak/guide
the process - it's usually used by av research labs to help automate the
processing of malware samples...

the more you dumb down the human requirements, the less complete the
deconstruction and the closer you get to heuristics...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f931pn$r8m$1
@registered.motzarella.org:

> Andy Walker wrote:
> [snip]
>> I understand what your saying, but some scanners take into account
>> other metrics like the existence of certain registry keys, or even the
>> structure of supporting files used as databases for the malware. A
>> complete deconstruction of the offending malware *could* produce
>> enough information to snare all its variants. Heh! but then who's got
>> the time... ;-)
>
> a *complete* deconstruction of the malware (or any program, really)
> falls outside the realm of computability as it is reducible to the
> halting problem...

Again, I want to thank you for stepping in and explaining the obvious.
BugHunter is not the only program which can be defeated using the tricks
Andy specified.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Andy Walker]

Dustin Cook wrote:

>BugHunter is not the only program which can be defeated using the tricks
>Andy specified.

And there are many programs that aren't as easy to defeat. I don't
need a lesson from any of you on how to defeat anti-malware programs.
I was just asking the question because you seemed to want to discuss
your programs capabilities, which are not all that impressive. That
said, I'm sure some people can use your program to help them clean
their system. I just don't see a commercial use for it in its present
state of development.

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in news:46b61682.17853734
@news.webtv.com:

> Dustin Cook wrote:
>
>>BugHunter is not the only program which can be defeated using the
tricks
>>Andy specified.
>
> And there are many programs that aren't as easy to defeat. I don't
> need a lesson from any of you on how to defeat anti-malware programs.


Well, Andy, I wasn't trying to give you a lesson. So I suppose it's great
that you don't need one. As far as easy to beat is concerned, Any program
can be beaten, and none of them are immune from a targetted attack. I of
all people should know, I used to write such junk.

BugHunter isn't any harder/easier to evade than spybot, adaware and
various other programs are. The fact you think they are somehow magically
immune from what you propose for an attack only shows how ignorant you
actually are on the subject, so maybe you do need a lesson or two after
all.

> I was just asking the question because you seemed to want to discuss
> your programs capabilities, which are not all that impressive. That

My program doesn't have any less/more capabilities than most other file
based removal tools. It targets known files and lets you remove them if
you'd like. That's all I've said it does, and that's exactly what it
does. Whether or not this impresses you really doesn't concern me.

And despite what you might think, it does a reasonably well job of it
too! And you don't have to take my word for it.

> said, I'm sure some people can use your program to help them clean
> their system. I just don't see a commercial use for it in its present
> state of development.

I know for a fact it's used to clean systems. In commercial and non
commercial environments. People more knowledgable than yourself on the
subject don't seem to share your opinions.


Did you think I was trying to advertise it or something? Do you think I
wrote BugHunter to make money? If so, heres a short history lesson for
you. BugHunter was released almost 3 years ago for general use, In that
time, for the last 3 months a donate button has appeared on my site.
Obviously, money isn't the goal and never was. BugHunter doesn't mention
ANY donation options, doesn't beg you for anything, doesn't suggest or
otherwise mention paying for it. It's a completely free program which I
and many others think serves a useful purpose.

I'll take your opinions under consideration.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Andy Walker]

Dustin Cook wrote:

>I'll take your opinions under consideration.

I doubt very much that your arrogance would allow that.

Back to the bozo bin you go.

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in news:46b620f0.20523234
@news.webtv.com:

> Dustin Cook wrote:
>
>>I'll take your opinions under consideration.
>
> I doubt very much that your arrogance would allow that.

I didn't think this was really about BugHunter...

> Back to the bozo bin you go.

I'm not insulted in the least Andy. Thanks.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Franklin]

On 05 Aug 20:01, Dustin Cook
<spamfilterineffect.see.sig@nowhere.com> wrote:

> Did you think I was trying to advertise it or something? Do you
> think I wrote BugHunter to make money? If so, heres a short history
> lesson for you. BugHunter was released almost 3 years ago for
> general use, In that time, for the last 3 months a donate button
> has appeared on my site. Obviously, money isn't the goal and never
> was. BugHunter doesn't mention ANY donation options, doesn't beg
> you for anything, doesn't suggest or otherwise mention paying for
> it. It's a completely free program which I and many others think
> serves a useful purpose.


Thank you for making such a program available. It is this ethos which
helps sustain the availablity of freeware.

Good luck.

F

[kurt wismer]

Andy Walker wrote:
> Dustin Cook wrote:
>
>> BugHunter is not the only program which can be defeated using the tricks
>> Andy specified.
>
> And there are many programs that aren't as easy to defeat. I don't
> need a lesson from any of you on how to defeat anti-malware programs.

you seem to have an agenda here... the weakness you pointed out is
shared by most anti-malware programs... only behaviour-based detectors
would be resistant to it...

> I was just asking the question because you seemed to want to discuss
> your programs capabilities, which are not all that impressive.

compared to those that have tens or hundreds of thousands of man-hours
worth of development in them, i suppose not...

> That
> said, I'm sure some people can use your program to help them clean
> their system. I just don't see a commercial use for it in its present
> state of development.

then it's a good thing it's free...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"