It is a good idea for scanners to completely ignore
extensions and determine filetypes by their internal structure - but
this adds too much scanning time I suppose.
Are you visiting Neverland? That file REALLY IS a trojan.
And A2 confirmed
that. And it's detection
seems to have been triggered by some I/O to c:\null from left field. Maybe
something penetrated my Belkin wireless router and then ZA?
OR maybe
somebody close has broken my 26 hex char WEP key and come in that way. OR
maybe there is still some undetected infection that happened to trigger at
that moment the spawning of the real trojan c:\null.
Ron Reaugh said:Are you visiting Neverland? That file REALLY IS a trojan. And A2 confirmed
that.
And it's detection
seems to have been triggered by some I/O to c:\null from left field.
Maybe
something penetrated my Belkin wireless router and then ZA? OR maybe
somebody close has broken my 26 hex char WEP key and come in that way. OR
maybe there is still some undetected infection that happened to trigger at
that moment the spawning of the real trojan c:\null.
Roger Wilco said:[...]
That file may be a malware related file, but it itself is not malware
(it is not executable and as such is not a threat) and any scanner that
detects it as such is wrong (but some would do so purposefully to get
better scores in AV comparative tests - like detecting boot sector
viruses in "files" like .bak backup files..
The only way it could be
executable is if it is an OLE2 filetype (.doc) that has been renamed
extensionless. It is a good idea for scanners to completely ignore
extensions and determine filetypes by their internal structure - but
this adds too much scanning time I suppose.
kurt wismer said:Ron Reaugh wrote:
[snip the rest of the integrity checker discussion]A url or two please.
google on "integrity checker" and you'll find plenty... back in the day
(before windows) i rather liked integrity master and advanced disk
infoscope... i just did a status check on them (i *neglect* to use
integrity checkers myself, but there are mitigating circumstances there)
and although integrity master doesn't seem to be handling current file
systems all that cleanly, adinf (http://www.adinf.com) seems to have
been kept sufficiently up to date to be usable on xp...
seems to have been triggered by some I/O to c:\null from left field. Maybe
something penetrated my Belkin wireless router and then ZA? OR maybe
somebody close has broken my 26 hex char WEP key and come in that way. OR
maybe there is still some undetected infection that happened to trigger at
that moment the spawning of the real trojan c:\null.
What prevented Integrity Master, and checkers in the same category (e.g. CRC,
MD5, etc.), from becoming widely used in AV, are the following reasons:
1. Plain integrity ("plain" here refers to the processing of the entire file,
not to the method used) is useless for AV purposes as it's unable to
discriminate between legitimate changes and malware related changes.
2. Integrity records obtained by IM and its likes were useless in restoring
modified objects to their original state. This last capability is now less
important due to the complexity in restoring 32 bit objects from an "integrity
signature" (the size of the signature required for that is prohibitively large),
but was cardinal in the days of DOS.
Zvi Netiv said:A quick and partial analysis of the "NULL" sample yields interesting findings:
Although the file has the structure of a 32 bit executable, it isn't one
and
won't execute even if assigned an executable extension (.exe for that matter).
Relevance?
This confirms my previous statement that the detection as Qdown.s or whatever
ARE false alarms!
Digging in the sample code reveals that the use of the NULL file name is
deliberate.
The code
also suggests that the NULL file may be renamed at some
stage through the Wininit procedure, probably to QDOWAS2.DLL. What's clear
beyond doubt is that NULL per se isn't a Trojan.
For the sake of completeness, I suggest that you look with Notepad in your
%Windir%\WININIT.BAK file (it contains a backup of the last instructions
executed by Wininit.exe). If your NULL file was involved in the installation of
anything through Wininit, then you will find there traces in Wininit.bak of what
it did, in plain text. The time and date of Wininit.bak will also tell when
this happened.
I also suggest that you search for a file named Qdowas2.dll, just in case.
[...]c:\null is still there. Today AVG updated and nothing happened. I'm
assuming therefore that in the original incident that some I/O did occur to
c:\null and that I/O was from out of left field. Nothing was supposed to be
doing that.
You are asking the wrong questions and looking in the wrong places for answers.
For starters, on-access AV aren't supposed to check non-executable files, even
if they have an executable structure! Doing so would yield excessive false
alarms (just demonstrated!) and would slow down processing considerably.
If curious what drops the NULL file on your drive
Roger Wilco said:That file may be a malware related file, but it itself is not malware
(it is not executable
and as such is not a threat) and any scanner that
detects it as such is wrong
Roger Wilco said:It really is "detected" as a trojan - doesn't mean it is one. How can
you execute it as is?
It may be something that can be made executable
(Qbasic/run c:\null if it were a qbasic program) but as is what harm is
it? Do you want a program that detects everything that can be made into
something threatening? Text files (like the QBASIC program)? This post
maybe?
Zvi Netiv said:Relax, the file isn't a real Trojan nor a Trojan at all (just code fragments of
what may have been part of anything else, like an installer, or attempted
malware) and it isn't the first time that several AV are in "agreement" on a
false positive, nor the last.
On-access AV intercept CreateFile calls in ring 0. Not every call initiates
file verification, only those with the "correct" parameters as set by the AV
designer (and sometimes by user option settings).
Viewing a directory by
Explorer, for example, is all that is needed to initiate the AV to check files
that display with their own icon,
as the file is opened by Explorer for reading
the icon resource.
Your on-access defense won't detect the uploading of anything, not even a "real"
virus or Trojan, in real time, when done from a remote PC. The reason is that
there is no meat to chew on for the AV at the time the destination file is
inspected. Here is what happens, step by step: A call to initiate a file
transfer is sent from remote. The local file system responds by creating a
local file and opens it for output. This is the cue for the AV to intervene,
take control and inspect the file just opened. Obviously, the AV will find
nothing as nothing was yet transferred. Control is then returned to the
interrupted process and the transfer will happily resume. If you asked yourself
how come that systems get infected under the nose of AV with the very last
definitions, then here is your answer.
IMO, the date AVG first flagged the NULL file
isn't the date that file was
created.
Lastly, the NULL file isn't benign from its content. But it isn't the real
thing either,
and you are tormenting yourself for no good reason, on a wild
goose chase.
Zvi Netiv said:Roger Wilco said:[...]
That file may be a malware related file, but it itself is not malware
(it is not executable and as such is not a threat) and any scanner that
detects it as such is wrong (but some would do so purposefully to get
better scores in AV comparative tests - like detecting boot sector
viruses in "files" like .bak backup files..
Based on the NULL sample inspection:
The file has a PE structure (Mark Zbikowsky's marker, 16 bit EXE stub, PE
extended header and sections) but it isn't directly executable.
Which doesn't
mean much as many non-executable objects used in Windows have that structure,
like font files, to mention one example.
It could be malware related, but it could be anything else just the same.
What prevented Integrity Master,
Today, *real-time* integrity monitoring is successfully implemented in
InVircible's Interceptor (see www.invircible.com/item/81 ).
Kevin Reiter said:WEP keys can be cracked in minutes now...
Just perform a forensics analysis on the drive and load another drive.
That (loading a new drive, not the analysis) would've taken less time than
all the back and forth flames and insults within this thread that haven't
really solved anything.
If you can duplicate it, then document it and contact some companies and
pass on the info. Examine the c:\null file yourself to see what the
content is, and then make your own call on what exactly it is, based on
the content (if possible.)
And Belkin routers aren't the world's greatest,
and neither is ZA as far
as firewalls go.
It's entirely possible that something managed to get
past both of them, especially if it was invited from the inside.
while the average joe may certainly prefer a magic bullet (and there are
plenty of examples of people expressing exactly that), i'm not about to
penalize a technology for failing to be a panacea - i'd rather penalize
a proponent of it for falsely leading users to believe it is a panacea...
YES!
plain integrity checkers are purely detective mechanisms... they do not
prevent and they do not restore, but they are (when used properly)
practically infallible at detecting change...
WHO SAYS? Where there's code there's a possible fire.
That assertion is highly suspect in this case.
Ron Reaugh said:-snip
I'm an earlier user of that.
I'm gonna have to take a look at that.
Roger Wilco said:Right - hence my QBASIC "text" file scenario. If I wrote a batchfile
that fed that textfile to the QBASIC interpreter, then the batchfile
would be the trojan threat - not the "text" file itself.
Sure, I
probably wouldn't want that textfile sitting around, but it is no more a
trojan than deltree.exe is when a deltree.bat trojan is found.
All files could be a threat - most program files undergo stages of
translation before ending up as an executable image. Even a PE file is
an admixture of code, data, and program control data for the loader to
use in building the executable image. Up until the point where tha user
is taken out of the loop (the remaining points in the path to execution
of the program are automated) the program is not a threat.
Once the
program is in a state where the next action taken by the user (invoking
the program) is the last action he need take - the program file is
usually termed "executable". Take a zipped (archive) file for instance -
it is not a threat, and there is no reason to scan it at this point; but
if Microsoft decided that users wanted to have double-click
functionality that automatically extracted files from an archive and
then automatically executed extracted program files named "install.exe"
or "setup.exe" then we would have to consider zipfiles as executables on
that system.
Your c:\null file still requires something more before it can become a
threat,
and so should not be detected as a threat.
NO!
A .doc file on the
other hand might be associated with Microsoft "Word" and the path to
execution of embedded macros is automated - so .doc files are
"executable" under this condition. Incidentally, it used to be the case
that OLE2 .doc files renamed to an extensionless filename (like NULL for
instance) would be recognized when invoked as OLE2 filetype and opened
in "Word" automatically running embedded macros. As long as the actual
file structure is not OLE2, then your file was not "executable" sans
extension.
Some WEP keys or most all WEP keys? By a competent hacker or only by the
NSA? What's better than WEP, not easily cracked, widely & robustly
implemented and easy to install/maintain? A 26 char hex key in minutes
seems like it'd take something with Blue in it's name.
James Egan said:Don't pay too much attention to the size of the key. You don't need to
know the wep key to decrypt a packet if you know the cipher stream
used to encrypt it. The initialisation vector used to generate cipher
streams is only 24 bits (16-17 million possible streams) and is sent
in the clear with the packet.
Hacking tools like airsnort http://airsnort.shmoo.com/faq.html collect
particular packets within these 16 million possibilities and can
deduce keys automatically.
These days WPA is the norm since WEP is so easy to break. Having said
that, there are enough wireless networks around running no encryption
at all to keep the hackers occupied. Why hack into yours when there
will be one around the corner that doesn't require any hacking?
Whether you can upgrade to WPA with your win9x kit depends on the
wireless equipment in use. With Linksys wireless cards, WEP is as good
as it gets without upgrading to winxp and using the built in wireless
support. Don't know about other hardware but certainly you should pay
a visit to the manufacturer's website to see if there's a WPA update
available.