Detecting Remote Administration Trojans Through Dynamic Analysis Using Finite-State Machines

Total Page:16

File Type:pdf, Size:1020Kb

Detecting Remote Administration Trojans Through Dynamic Analysis Using Finite-State Machines Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Kjetil Tangen Gardåsen Master’s Thesis Master of Science in Information Security 30 ECTS Department of Computer Science and Media Technology Gjøvik University College, 2014 Avdeling for informatikk og medieteknikk Høgskolen i Gjøvik Postboks 191 2802 Gjøvik Department of Computer Science and Media Technology Gjøvik University College Box 191 N-2802 Gjøvik Norway Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Abstract In this master’s thesis we show how we can use the Application Programming Interface (API) calls a program makes to detect if it is a Remote Administration Trojan (RAT) or not. We have looked at which API calls that are performed when the webcam, microphone and keylogger are used by a program, and we use this information to determine if a program can be considered to be spying on its user by covertly capturing information from any of these sources. In addition, we have looked at the network traffic as seen through the API calls of the examined RAT, and we use this to better pinpoint which RAT that is present on the system. To distinguish a RAT from a program with similar behavior (e.g. video chat vs. webcam spy- ing) we have used user interaction with the program as a discriminator for whether or not it is malicious, with our theory being that a program such as a video chat program would interact with the user and have a user interface, while a RAT would not and would instead attempt to stay hidden. By observation we show that this is what is happening in real-life scenarios, and that the RATs do not interact with the user or provide a user interface. We have subsequently modeled the API calls that denote the various forms of behavior and user interaction as finite-state machines that can be used to detect whether or not a RAT is present on the system and what it is doing. ii Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Sammendrag I denne masteroppgaven viser vi hvordan vi kan bruke Application Programming Interface (API) kallene et program utfører for å oppdage om det er en Remote Administration Trojan (RAT) eller ikke. Vi har undersøkt hvilke API-kall som blir gjort når webkamera, mikrofon og tastaturet brukes av et program, og vi bruker denne informasjonen til å finne ut av om et program spionerer på brukeren via noen av disse grensesnittene eller ikke. I tillegg har vi sett på nettverkstrafikken via API-kallene som den undersøkte RATen utførerer, og vi bruker denne informasjon til å mer nøyaktig finne ut hvilken RAT som befinner seg på systemet. For å skille en RAT fra et program med lignende oppførsel (f.eks. video chat og wekamera- spionering) har vi brukt interaksjon med brukeren som et skille på hvorvidt programmet er skadelig eller ikke, hvor teorien vår har vært at et program som video chaten vil samhandle med brukeren og dermed ha et brukergrensesnitt, mens en RAT ikke vil det og heller forsøker å holde seg skjult. Ved observasjon har vi vist at det er dette som skjer, og at RATene ikke samhandler med brukeren eller har noe brukergrensesnitt. Vi har til slutt modellert API-kallene som brukes for de forskjellige typene oppførsel og bruker- samhandling som tilstandsmakiner som kan brukes til å oppdage om en RAT finnes på systemet og hva den driver med. iii Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Acknowledgments I would like to thank my supervisor Lasse Øverlier for all the insightful help and guidance he has given me throughout the thesis. My dear friends André, Eirik, Espen and Ola have my eternal gratitude for enduring all the relevant academic and non-relevant academic discussions we have had during this thesis. I would also like to thank my colleagues at Nets who have been very sup- portive and provided me with encouragement along the way. Lasse Halaas and FLO/IKT deserves a thank-you for steering me onto this topic and their helpful sparring on related topics. And last, but not least, I want to thank my parents and sister for their everlasting love and support. iv Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Glossary • RAT - Remote Administration Trojan/Tool • FSM - Finite-State Machine • IDS - Intrusion Detection System • SSDT - System Service Descriptor Table • IAT - Import Address Table • FUD - Fully Undetectable • DDoS - Distributed Denial of Service v Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines Contents Abstract .............................................. ii Sammendrag ........................................... iii Acknowledgments ........................................ iv Glossary ............................................. v Contents ............................................. vi List of Figures .......................................... ix List of Tables ........................................... xi 1 Introduction ......................................... 1 1.1 Topics Covered by the Project . .3 1.2 Keywords . .4 1.3 Problem description . .4 1.4 Justification, Motivation and Benefits . .5 1.5 Research Questions . .5 1.6 Contributions . .6 2 Background ......................................... 7 2.1 What is a RAT? . .7 2.1.1 Backdoors and Zombies . .7 2.1.2 Trojan Horses . .7 2.1.3 Spyware . .8 2.1.4 Summary . .9 2.2 A Brief History . .9 2.2.1 Back Orifice and Back Orifice 2000 . .9 2.2.2 Poison Ivy . 10 2.2.3 Today . 10 2.3 Detection Mechanisms . 10 2.3.1 Static Anti-Virus Detection . 10 2.3.2 Dynamic Anti-Virus Detection . 11 2.3.3 Properties . 12 2.3.4 Intrusion Detection Systems . 13 2.4 Technical Details . 13 2.4.1 User and Kernel Mode . 14 2.4.2 System Calls . 14 2.4.3 API calls . 14 2.4.4 Hooks . 15 2.4.5 Summary . 17 2.4.6 Obfuscation . 17 vi Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines 2.4.7 Summary . 19 2.5 Finite State Machines . 19 2.5.1 Finite-State Machine with Output . 20 2.5.2 Finite-State Machine without Output . 20 2.5.3 Using Finite-State Machines to Detect Malicious Behavior . 20 3 Related Work ......................................... 21 3.1 API Call Monitoring . 21 3.2 Signatures . 22 3.3 Policy . 23 3.4 Graphs . 23 3.5 Similarity Classification . 23 3.6 Identification of Dangerous API Calls . 24 3.7 Behavior Classification . 25 3.8 Finite-State Machines . 26 4 Methodology ......................................... 28 4.1 Rationale for Testing . 28 4.2 Test Setup . 28 4.2.1 Experiments . 31 5 Analysis ............................................ 33 5.1 DarkComet . 33 5.1.1 Webcam . 34 5.1.2 Audio Capture . 34 5.1.3 Keylogging . 35 5.1.4 Network Traffic . 35 5.2 njRAT . 38 5.2.1 Webcam . 39 5.2.2 Microphone . 39 5.2.3 Keylogger . 40 5.2.4 Network Traffic . 40 5.2.5 The Future . 43 5.3 jRAT . 44 5.3.1 Microphone . 44 5.3.2 Network Traffic . 44 5.4 jSpy . 46 5.4.1 Webcam . 46 5.4.2 Microphone . 46 5.4.3 Keylogger . 46 5.4.4 Network Traffic . 47 5.5 Cloud Net . 48 5.5.1 Webcam . 48 5.5.2 Microphone . 48 5.5.3 Keylogger . 48 vii Detecting Remote Administration Trojans through Dynamic Analysis using Finite-State Machines 5.5.4 Network Traffic . 48 5.6 LuxNET . 51 5.6.1 Webcam . 51 5.6.2 Microphone . 51 5.6.3 Keylogger . 51 5.6.4 Network Traffic . 51 5.7 Skype . ..
Recommended publications
  • La Sécurité Informatique Edition Livres Pour Tous (
    La sécurité informatique Edition Livres pour tous (www.livrespourtous.com) PDF générés en utilisant l’atelier en source ouvert « mwlib ». Voir http://code.pediapress.com/ pour plus d’informations. PDF generated at: Sat, 13 Jul 2013 18:26:11 UTC Contenus Articles 1-Principes généraux 1 Sécurité de l'information 1 Sécurité des systèmes d'information 2 Insécurité du système d'information 12 Politique de sécurité du système d'information 17 Vulnérabilité (informatique) 21 Identité numérique (Internet) 24 2-Attaque, fraude, analyse et cryptanalyse 31 2.1-Application 32 Exploit (informatique) 32 Dépassement de tampon 34 Rétroingénierie 40 Shellcode 44 2.2-Réseau 47 Attaque de l'homme du milieu 47 Attaque de Mitnick 50 Attaque par rebond 54 Balayage de port 55 Attaque par déni de service 57 Empoisonnement du cache DNS 66 Pharming 69 Prise d'empreinte de la pile TCP/IP 70 Usurpation d'adresse IP 71 Wardriving 73 2.3-Système 74 Écran bleu de la mort 74 Fork bomb 82 2.4-Mot de passe 85 Attaque par dictionnaire 85 Attaque par force brute 87 2.5-Site web 90 Cross-site scripting 90 Défacement 93 2.6-Spam/Fishing 95 Bombardement Google 95 Fraude 4-1-9 99 Hameçonnage 102 2.7-Cloud Computing 106 Sécurité du cloud 106 3-Logiciel malveillant 114 Logiciel malveillant 114 Virus informatique 120 Ver informatique 125 Cheval de Troie (informatique) 129 Hacktool 131 Logiciel espion 132 Rootkit 134 Porte dérobée 145 Composeur (logiciel) 149 Charge utile 150 Fichier de test Eicar 151 Virus de boot 152 4-Concepts et mécanismes de sécurité 153 Authentification forte
    [Show full text]
  • Netcat and Trojans/Backdoors
    Netcat and Trojans/Backdoors ECE4883 – Internetwork Security 1 Agenda Overview • Netcat • Trojans/Backdoors ECE 4883 - Internetwork Security 2 Agenda Netcat • Netcat ! Overview ! Major Features ! Installation and Configuration ! Possible Uses • Netcat Defenses • Summary ECE 4883 - Internetwork Security 3 Netcat – TCP/IP Swiss Army Knife • Reads and Writes data across the network using TCP/UDP connections • Feature-rich network debugging and exploration tool • Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. • UNIX and Windows versions available at: http://www.atstake.com/research/tools/network_utilities/ ECE 4883 - Internetwork Security 4 Netcat • Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts • Very powerful in combination with scripting languages (eg. Perl) “If you were on a desert island, Netcat would be your tool of choice!” - Ed Skoudis ECE 4883 - Internetwork Security 5 Netcat – Major Features • Outbound or inbound connections • TCP or UDP, to or from any ports • Full DNS forward/reverse checking, with appropriate warnings • Ability to use any local source port • Ability to use any locally-configured network source address • Built-in port-scanning capabilities, with randomizer ECE 4883 - Internetwork Security 6 Netcat – Major Features (contd) • Built-in loose source-routing capability • Can read command line arguments from standard input • Slow-send mode, one line every N seconds • Hex dump of transmitted and received data • Optional ability to let another program service established connections • Optional telnet-options responder ECE 4883 - Internetwork Security 7 Netcat (called ‘nc’) • Can run in client/server mode • Default mode – client • Same executable for both modes • client mode nc [dest] [port_no_to_connect_to] • listen mode (-l option) nc –l –p [port_no_to_connect_to] ECE 4883 - Internetwork Security 8 Netcat – Client mode Computer with netcat in Client mode 1.
    [Show full text]
  • Pest Control: Taming the Rats
    RESEARCH pest control: taming the rats Authors Remote Administration Tools (RATs) allow a Shawn Denbow remote attacker to control and access the Twitter: @sdenbow_ system. In this paper, we present our analysis of Email: [email protected] their protocols, explain how to decrypt their Jesse Hertz traffic, as well as present vulnerabilities we have Twitter: @hectohertz found. Email: [email protected] Introduction As 2012 Matasano summer interns, we were tasked with running a research project with a couple criteria: • It should be something we are both interested in. • We should be able to present our research for the company at the end of our internship. However, on completion, we decided that it would be best if we made our findings public. With John Villamil, our advisor, we decided that given our interest in low-level analysis, we should analyze Remote Administration Tools (RATs). RATs have recently seen media attention due to their use by oppressive governments in spying on activists and other “dissidents”. We felt this to be a perfect project. Remote Administration Tools are pieces of software which, once installed on a victim’s computer allow a remote user to control and access the system. RATs can be used legitimately by system administrators, or they can be used maliciously. There are a variety of methods by which they are installed on a computer: Various social engineering tactics can be employed to get a user to open the executable, they can be bundled with other pieces of software, they can be installed as the payload of a virus or worm, or they can be installed after an attacker gains access to a system through an exploit.
    [Show full text]
  • Major Qualifying Project
    Network Anomaly Detection Utilizing Robust Principal Component Analysis Major Qualifying Project Advisors: PROFESSORS LANE HARRISON,RANDY PAFFENROTH Written By: AURA VELARDE RAMIREZ ERIK SOLA PLEITEZ A Major Qualifying Project WORCESTER POLYTECHNIC INSTITUTE Submitted to the Faculty of the Worcester Polytechnic Institute in partial fulfillment of the requirements for the Degree of Bachelor of Science in Computer Science. AUGUST 24, 2017 - MARCH 2, 2018 ABSTRACT n this Major Qualifying Project, we focus on the development of a visualization-enabled anomaly detection system. We examine the 2011 VAST dataset challenge to efficiently Igenerate meaningful features and apply Robust Principal Component Analysis (RPCA) to detect any data points estimated to be anomalous. This is done through an infrastructure that promotes the closing of the loop from feature generation to anomaly detection through RPCA. We enable our user to choose subsets of the data through a web application and learn through visualization systems where problems are within their chosen local data slice. In this report, we explore both feature engineering techniques along with optimizing RPCA which ultimately lead to a generalized approach for detecting anomalies within a defined network architecture. i TABLE OF CONTENTS Page List of Tables v List of Figures vii 1 Introduction 1 1.1 Introduction .......................................... 1 2 VAST Dataset Challenge3 2.1 2011 VAST Dataset...................................... 3 2.2 Attacks in the VAST Dataset ................................ 6 2.3 Avoiding Data Snooping ................................... 7 2.4 Previous Work......................................... 8 3 Anomalies in Cyber Security9 3.1 Anomaly detection methods................................. 9 4 Feature Engineering 12 4.1 Feature Engineering Process ................................ 12 4.2 Feature Selection For a Dataset..............................
    [Show full text]
  • Ncircle IP360
    VULNERABILITY MANAGEMENT TECHNOLOGY REPORT nCircle IP360 OCTOBER 2006 www.westcoastlabs.org 2 VULNERABILITY MANAGEMENT TECHNOLOGY REPORT CONTENTS nCircle IP360 nCircle, 101 Second Street, Suite 400, San Francisco, CA 94105 Phone: +1 (415) 625 5900 • Fax: +1 (415) 625 5982 Test Environment and Network ................................................................3 Test Reports and Assessments ................................................................4 Checkmark Certification – Standard and Premium ....................................5 Vulnerabilities..........................................................................................6 West Coast Labs Vulnerabilities Classification ..........................................7 The Product ............................................................................................8 Developments in the IP360 Technology ....................................................9 Test Report ............................................................................................10 Test Results ............................................................................................17 West Coast Labs Conclusion....................................................................18 Security Features Buyers Guide ..............................................................19 West Coast Labs, William Knox House, Britannic Way, Llandarcy, Swansea, SA10 6EL, UK. Tel : +44 1792 324000, Fax : +44 1792 324001. www.westcoastlabs.org VULNERABILITY MANAGEMENT TECHNOLOGY REPORT 3 TEST ENVIRONMENT
    [Show full text]
  • Adwind a Cross Platform
    ADWIND A CROSSPLATFORM RAT REPORT ON THE INVESTIGATION INTO THE MALWAREASASERVICE PLATFORM AND ITS TARGETED ATTACKS Vitaly Kamluk, Alexander Gostev February 2016 V. 3.0 #TheSAS2016 #Adwind CONTENTS Executive summary ..................................................................................................... 4 The history of Adwind ................................................................................................ 5 Frutas RAT ................................................................................................................. 5 The Adwind RAT ..................................................................................................... 11 UNRECOM ................................................................................................................ 17 AlienSpy ..................................................................................................................... 24 The latest reincarnation of the malware ............................................................. 28 JSocket.org: malware-as-a-service ................................................................. 28 Registration .............................................................................................................. 29 Online malware shop ........................................................................................... 30 YouTube channel .................................................................................................... 32 Profitability ..............................................................................................................
    [Show full text]
  • List of TCP and UDP Port Numbers from Wikipedia, the Free Encyclopedia
    List of TCP and UDP port numbers From Wikipedia, the free encyclopedia This is a list of Internet socket port numbers used by protocols of the transport layer of the Internet Protocol Suite for the establishment of host-to-host connectivity. Originally, port numbers were used by the Network Control Program (NCP) in the ARPANET for which two ports were required for half- duplex transmission. Later, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) needed only one port for full- duplex, bidirectional traffic. The even-numbered ports were not used, and this resulted in some even numbers in the well-known port number /etc/services, a service name range being unassigned. The Stream Control Transmission Protocol database file on Unix-like operating (SCTP) and the Datagram Congestion Control Protocol (DCCP) also systems.[1][2][3][4] use port numbers. They usually use port numbers that match the services of the corresponding TCP or UDP implementation, if they exist. The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers for specific uses.[5] However, many unofficial uses of both well-known and registered port numbers occur in practice. Contents 1 Table legend 2 Well-known ports 3 Registered ports 4 Dynamic, private or ephemeral ports 5 See also 6 References 7 External links Table legend Official: Port is registered with IANA for the application.[5] Unofficial: Port is not registered with IANA for the application. Multiple use: Multiple applications are known to use this port. Well-known ports The port numbers in the range from 0 to 1023 are the well-known ports or system ports.[6] They are used by system processes that provide widely used types of network services.
    [Show full text]
  • How to Cheat at Configuring Open Source Security Tools
    436_XSS_FM.qxd 4/20/07 1:18 PM Page ii 441_HTC_OS_FM.qxd 4/12/07 1:32 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]
  • HTTP: IIS "Propfind" Rem HTTP:IIS:PROPFIND Minor Medium
    HTTP: IIS "propfind"HTTP:IIS:PROPFIND RemoteMinor DoS medium CVE-2003-0226 7735 HTTP: IkonboardHTTP:CGI:IKONBOARD-BADCOOKIE IllegalMinor Cookie Languagemedium 7361 HTTP: WindowsHTTP:IIS:NSIISLOG-OF Media CriticalServices NSIISlog.DLLcritical BufferCVE-2003-0349 Overflow 8035 MS-RPC: DCOMMS-RPC:DCOM:EXPLOIT ExploitCritical critical CVE-2003-0352 8205 HTTP: WinHelp32.exeHTTP:STC:WINHELP32-OF2 RemoteMinor Buffermedium Overrun CVE-2002-0823(2) 4857 TROJAN: BackTROJAN:BACKORIFICE:BO2K-CONNECT Orifice 2000Major Client Connectionhigh CVE-1999-0660 1648 HTTP: FrontpageHTTP:FRONTPAGE:FP30REG.DLL-OF fp30reg.dllCritical Overflowcritical CVE-2003-0822 9007 SCAN: IIS EnumerationSCAN:II:IIS-ISAPI-ENUMInfo info P2P: DC: DirectP2P:DC:HUB-LOGIN ConnectInfo Plus Plus Clientinfo Hub Login TROJAN: AOLTROJAN:MISC:AOLADMIN-SRV-RESP Admin ServerMajor Responsehigh CVE-1999-0660 TROJAN: DigitalTROJAN:MISC:ROOTBEER-CLIENT RootbeerMinor Client Connectmedium CVE-1999-0660 HTTP: OfficeHTTP:STC:DL:OFFICEART-PROP Art PropertyMajor Table Bufferhigh OverflowCVE-2009-2528 36650 HTTP: AXIS CommunicationsHTTP:STC:ACTIVEX:AXIS-CAMERAMajor Camerahigh Control (AxisCamControl.ocx)CVE-2008-5260 33408 Unsafe ActiveX Control LDAP: IpswitchLDAP:OVERFLOW:IMAIL-ASN1 IMail LDAPMajor Daemonhigh Remote BufferCVE-2004-0297 Overflow 9682 HTTP: AnyformHTTP:CGI:ANYFORM-SEMICOLON SemicolonMajor high CVE-1999-0066 719 HTTP: Mini HTTP:CGI:W3-MSQL-FILE-DISCLSRSQL w3-msqlMinor File View mediumDisclosure CVE-2000-0012 898 HTTP: IIS MFCHTTP:IIS:MFC-EXT-OF ISAPI FrameworkMajor Overflowhigh (via
    [Show full text]
  • Growth and Commoditization of Remote Access Trojans
    30 September - 2 October, 2020 / vblocalhost.com GROWTH AND COMMODITIZATION OF REMOTE ACCESS TROJANS Veronica Valeros & Sebastian García Czech Technical University in Prague, Czech Republic [email protected] [email protected] www.virusbulletin.com GROWTH AND COMMODITIZATION OF REMOTE ACCESS TROJANS VALEROS & GARCÍA ABSTRACT Remote access trojans (RATs) are an intrinsic part of traditional cybercriminal activities, and they have also become a standard tool in advanced espionage attacks and scams. There have been significant changes in the cybercrime world in terms of organization, attacks and tools in the last three decades, however, the overly specialized research on RATs has led to a seeming lack of understanding of how RATs in particular have evolved as a phenomenon. The lack of generalist research hinders the understanding and development of new techniques and methods to better detect them. This work presents the first results of a long-term research project looking at remote access trojans. Through an extensive methodological process of collection of families of RATs, we are able to present an analysis of the growth of RATs in the last 30 years. Through a closer analysis of 11 selected RATs, we discuss how they have become a commodity in the last decade. Finally, through the collected information we attempt to characterize RATs, their victims, attacks and operators. Preliminary results of our ongoing research have shown that the number of RATs has increased drastically in the past ten years and that nowadays RATs have become standardized commodity products that are not very different from each other. INTRODUCTION Remote access software is a type of computer program that allows an individual to have full remote control of the device on which the software is installed.
    [Show full text]
  • A Toolkit for Detecting and Analyzing Malicious Software
    A Toolkit for Detecting and Analyzing Malicious Software Michael Weber, Matthew Schmid & Michael Schatz David Geyer Cigital, Inc. [email protected] Dulles, VA 20166 g fmweber, mschmid, mschatz @cigital.com Abstract the virus or Trojan horse performs malicious actions unbe- knownst to the user. These programs often propagate while In this paper we present PEAT: The Portable Executable attached to games or other enticing executables. Analysis Toolkit. It is a software prototype designed to pro- Malicious programmers have demonstrated their cre- vide a selection of tools that an analyst may use in order ativity by developing a great number of techniques through to examine structural aspects of a Windows Portable Ex- which malware can be attached to a benign host. Several ecutable (PE) file, with the goal of determining whether insertion methods are common, including appending new malicious code has been inserted into an application af- sections to an executable, appending the malicious code ter compilation. These tools rely on structural features of to the last section of the host, or finding an unused region executables that are likely to indicate the presence of in- of bytes within the host and writing the malicious content serted malicious code. The underlying premise is that typi- there. A less elegant but effective insertion method is to cal application programs are compiled into one binary, ho- simply overwrite parts of the host application. mogeneous from beginning to end with respect to certain Given the myriad ways malicious software can attach to structural features; any disruption of this homogeneity is a benign host it is often a time-consuming process to even a strong indicator that the binary has been tampered with.
    [Show full text]
  • Regrun? Regrun Is an Excellent Tool Kit for Protecting Your Computer Against Viruses Or Trojans/Spyware/ Adware Parasites Or Rootkits
    What is RegRun? RegRun is an excellent tool kit for protecting your computer against viruses or Trojans/Spyware/ Adware parasites or Rootkits. The RegRun uses the newest technology in the world. Fight with the bad guys by the most powerful weapon. What you should know about RegRun? RegRun is not an antivirus in a common sense. It does not scan your disk and detect/cure using signature database. There are a lot of antiviral programs that you can choose. RegRun checks all Windows startup holes and it can detect and remove any UNKNOWN virus. The modern viruses spreads to the millions computers in the world for a pair days. First, a virus kills an antivirus and disables a way to update the antiviral databases. RegRun prevents a virus auto start. Later you can clean your computer by antivirus to remove virus according files and registry records. RegRun resolves three main tasks: 1. Makes backups of the registry and important files. Restores a computer even if it does not boot. 2. Detects a virus in your computer. 3. Removes a virus from your computer. Hope you enjoy it! Who needs RegRun? If you are a user who is exposed to sources of viruses and Trojans (e.g. you are an Internet surfer, E-mail recipient, one who buys "safe" software on CD's, or one who receives data on floppy disks), or if you are an experienced user who needs to adjust your startup configuration as a function of testing and debugging new software, you need RegRun. RegRun is the best choice for users who wants to get maximum security, for power users and computer professionals.
    [Show full text]