IAMS - Initiative Against Malicious Scripts

Quartz101, on 24 January 2016 - 07:50 PM said:

We should make a public virus database, with known sha256 hashes of them posted, name of them, threat level, etc

1. all characters are converted to be lowercase
2. all spaces and newlines are removed
3. all comments are removed

MKlegoman357, on 24 January 2016 - 08:22 PM said:

May I suggest that before hashing the viruses programs would be a little stripped-out:

1. all characters are converted to be lowercase
2. all spaces and newlines are removed
3. all comments are removed

That way the database would be a little less sensitive to these small changes.

Mayushii, on 24 January 2016 - 08:23 PM said:

It'd be so easy to make a program that rewrites itself to circumvent that. Just rename variables repeatedly = win.

Mayushii, on 24 January 2016 - 08:22 PM said:

This thread feels a bit ridiculous, to be honest. Are CC "malware" an actual threat to anything?

3d6, on 24 January 2016 - 08:28 PM said:

The databases probably shouldn't be made public - at least not the signatures. Scanning should be done remotely over http - this would actually most likely be less time consuming than scanning locally in CC, considering the magnitude of the database.

Mayushii, on 24 January 2016 - 08:22 PM said:

This thread feels a bit ridiculous, to be honest. Are CC "malware" an actual threat to anything?

They've already proven to be a threat to krist holdings and other protocols with secret keys. Even command computers are susceptible to the "idiot op with a pastebin link" exploit.

wilcomega, on 24 January 2016 - 08:49 PM said:

Still the best way to protect yourself and your files is to run all programs in a protected environment, thats empty but its __INDEX = _G
this way it can use functions but not replace them

When doing this you can also just do a check on all file system operations to check if its only affecting files it created, and to make sure it doesnt change anything in the settings using the settings API

local g = getmetatable(getfenv()).__index
g.print = nil

H4X0RZ, on 24 January 2016 - 08:58 PM said:

wilcomega, on 24 January 2016 - 08:49 PM said:

Still the best way to protect yourself and your files is to run all programs in a protected environment, thats empty but its __INDEX = _G
this way it can use functions but not replace them

When doing this you can also just do a check on all file system operations to check if its only affecting files it created, and to make sure it doesnt change anything in the settings using the settings API

local g = getmetatable(getfenv()).__index
g.print = nil

envtop = { }
envrun = { }
realgetmt= getmetatable
newgetmt = function( ... )
	if { ... }[1] == envrun or { ... }[1] == envtop then return { } end
	return realgetmt( ... )
end
envrun.getmetatable = newgetmt
envrun._G = { }
setmetatable(envtop, { __INDEX = _G })
setmetatable(envrun, { __INDEX = envtop })

setfenv(codetorun, envrun)

wilcomega, on 24 January 2016 - 10:08 PM said:

H4X0RZ, on 24 January 2016 - 08:58 PM said:

wilcomega, on 24 January 2016 - 08:49 PM said:

Still the best way to protect yourself and your files is to run all programs in a protected environment, thats empty but its __INDEX = _G
this way it can use functions but not replace them

When doing this you can also just do a check on all file system operations to check if its only affecting files it created, and to make sure it doesnt change anything in the settings using the settings API

local g = getmetatable(getfenv()).__index
g.print = nil

envtop = { }
envrun = { }
realgetmenv = getmetatable
newgetmenv = function( ... )
	if { ... }[1] == envrun then return { } end
	return realgetenv( ... )
end
envrun.getmetatable = newgetmenv
envrun._G = { }
setmetatable(env1, { __INDEX = envrun })
setmetatable(env2, { __INDEX = envtop })

setfenv(codetorun, envrun)

fixed. should contain all code, otherwise just add more checks

I imagine this is not performace friendly, but when has any anti virus ever been performance friendly, RIGHT?

local g = getfenv(print)._G
--broken again

local function runProtected( str, ... )
  local env = {}
  return setfenv( loadfile( str ), setmetatable( env, {__index = function( t, k ) return k == "_G" and env or _G[ k ] end, __metatable = false} ) )( ... )
end

KingofGamesYami, on 24 January 2016 - 11:26 PM said:

local function runProtected( str )
  local env = {}
  setfenv( loadfile( str ), setmetatable( env, {__index = function( t, k ) return k == "_G" and env or _G[ k ] end, __metatable = false}
end

Wojbie, on 24 January 2016 - 11:33 PM said:

Will fail on pairs(_G) and can be detect that way.

KingofGamesYami, on 25 January 2016 - 01:04 AM said:

Wojbie, on 24 January 2016 - 11:33 PM said:

Will fail on pairs(_G) and can be detect that way.

Umm… I just tested it. It doesn't. It just shows there's nothing in the _G table. Which is absolutely true.

Anyway, what non-malicious purpose would you have for iterating through _G?

KingofGamesYami, on 25 January 2016 - 01:14 AM said:

Alright, fine. Here's a fix

Spoiler

local function runProtected( str )
  local env = {}
  env.pairs = function( t )
  	if t == env then
  		return pairs( _G )
  	end
  	return pairs( t )
  end
  setfenv( loadfile( str ), setmetatable( env, {__index = function( t, k ) return k == "_G" and env or _G[ k ] end, __metatable = false} ) )()
end

runProtected( "tester" )

local sbRoot = "/sandboxed/" --#The path programs shouldn't escape
local function sandboxCheck(path)
  local fullPath = fs.combine(sbRoot, path)
  local splitPath = split(fullPath, "/")
  local sbRootSP = split(sbRoot, "/")
  local ssPath = ""
  local ssFPath = ""
  for i, v in ipairs(splitPath) do
    ssPath = ssPath .. " " .. v
    if i <= #sbRootSP then
	  if not isEmpty(sbRootSP[i]) then
	    ssFPath = ssFPath .. " " .. sbRootSP[i]
	  end
    end
  end
  for i, v in ipairs(sbRootSP) do
    if not string.match(ssPath, v) then
	  print("BYPASS ATTEMPT IN: " .. path)
	  return false
    end
  end
  return true
end

oeed, on 26 January 2016 - 01:30 AM said:

Not gonna lie, I was incredibly dubious of this; as anyone who's seen a CC 'virus scanner' would. But I have to say, it looks it might actually work. Look forward to seeing where it goes.

if rawget(getfenv(1), "sleep") ~= sleep then
  -- in the sandbox
end

if getfenv(2)._G ~= _G then
  -- in the sandbox
end

local function toBeRunIn_G()
  print("Hello")
end
setfenv(toBeRunIn_G, getfenv(0))
-- or
setfenv(toBeRunIn_G, getfenv(sleep))

toBeRunIn_G()

LewisTehMinerz, on 24 February 2016 - 04:30 PM said:

GitHub seems to be dead. Would of looked at actually joining IAMS after my CC Virus Labs idea died off.

Creator, on 01 March 2016 - 04:02 PM said:

What exactly are unofficial OS makers?

cyanisaac, on 24 January 2016 - 12:51 AM said:

I have seen several really cool things lately that look to make CraftOS into a better platform. For instance, oeed has started CraftOS Standards, to try to set standards for types of data. These efforts to make CraftOS better are really neat.

However, I feel like one specific thing has been missing: Something to combat malicious scripts. Although the forums themselves don't allow malicious scripts (a good thing), that isn't going to work for everything. And whilst there are several scattered efforts against malicious scripts ("antivirus" programs), these won't work for everything.

So, I am starting the Initiative Against Malicious Scripts, or IAMS.

What is IAMS?

IAMS is an effort in combatting malicious scripts, specifically targeted towards ComputerCraft and CraftOS 2.0 (when it comes out). The goal is to act as a unified community to shut down malicious scripts and activities. It is also created to recognize software and projects that help protect users against malicious software, as well as help make trusted software be known as trusted.

Antimalware Definitions: Protecting Users against Current Malware

One of the goals of IAMS is to provide the means for software to protect users against current and existing malware. This is done by creating a centralized database of hashes of malware, along with pastebin IDs and their hashes. Although this isn't the most secure method, it's a good first step to combatting malicious software.

Sandboxing: Protecting Users against Future Malware

Another goal of IAMS is to encourage the securing of their software. For instance, in an operating system, providing a sandboxed filesystem for applications, to prevent against damage to data. Another example is scanning files for potentially harmful code before executing the file.

Certification: Showcasing Secure Software

The final goal of IAMS is to encourage software to be more secure, and follow best practices with combatting malicious software. This will be done by certifying and showcasing the best of secure software: Operating systems with protected filesystems, antivirus software working with IAMS definitions, and other things that contribute to proper security.

Getting Involved with IAMS

You can see the GitHub organization for IAMS here: [REDACTED, I need to reconsider some elements]

You can also join the gitter chat for IAMS here: [REDACTED, I need to reconsider some elements]

I am currently working on documenting IAMS and making it more obvious how to utilize the tools IAMS is providing.

Now, for how to contribute that IS documented.

If you know of any malicious scripts, report them via PM.

DO NOT REPLY TO THIS THREAD WITH MALICIOUS SOFTWARE LINKS. They are not allowed by the ComputerCraft Forums, hence why they are being disclosed through a form here.

Once you report a malicious script, I will review it to see what it does, and if I find it to be malicious as per the definitions of what makes a script malicious (seen in the form) I will add it to the definitions.

I will be more extensively document efforts here.

What makes a script malicious?

(I will be updating this as time goes by, and as per suggestions of others).

A script is deemed malicious if any of the following apply:

- The script is designed with the intent of being malicious.
- The script pretends to be one thing but ends up being another thing (trojan)
- The script, when publicly shown, claims to have IAMS certification when it has not been certified.
- The script poses an INTENDED threat WITH MALICIOUS PURPOSE to data on the device through any of the following means:
* Deletion of Data
* Corruption of Data
* Encryption of Data
* Unauthorized Sending of Data
- The script poses an INTENDED threat WITH MALICIOUS PURPOSE to software on the device through any of the following means:
* Bypassing of existing security systems implemented by software (example: Rooting an OS)
* Masquerading as a system process.
- The script poses an INTENDED threat WITH MALICIOUS PURPOSE through its own distribution through any of the following means:
* Distributed through a disk drive. (ie disk/startup)
* Distributed through a network.
* Masquerading as one thing in a network but being another.
* Masquerading as one thing in a disk but being another.

TODO:
* Certification of IAMS compliant software

* Other stuff.

This is a developing thing I am creating, so expect this to progress more over the next few weeks.

This thread serves as a place to discuss things that can be done to further combat malicious software, as well as make suggestions, and overall contribute. I would also recommend you join the Gitter rooms so that you can more easily collaborate, and so I can explain better what is going on.

EDIT: Also this is a CC thingy, not pet food.

ry00000, on 06 March 2016 - 06:49 PM said:

My virus is NOT IAMS compliant. I will say that. It spreads through disk drives, and renders the PC useless by instantly shutting down at startup. Note that I WON'T release the Pastebin to the public.

bauen1, on 04 April 2016 - 05:23 PM said:

And also, what about rootkits?
Im totaly not developing one right now :ph34r:/>

cyanissac said:

* Bypassing of existing security systems implemented by software (example: Rooting an OS)

ry00000, on 06 March 2016 - 06:49 PM said:

My virus is NOT IAMS compliant. I will say that. It spreads through disk drives, and renders the PC useless by instantly shutting down at startup. Note that I WON'T release the Pastebin to the public.

3d6, on 24 January 2016 - 08:28 PM said:

The databases probably shouldn't be made public - at least not the signatures. Scanning should be done remotely over http - this would actually most likely be less time consuming than scanning locally in CC, considering the magnitude of the database.

Mayushii, on 24 January 2016 - 08:22 PM said:

This thread feels a bit ridiculous, to be honest. Are CC "malware" an actual threat to anything?

They've already proven to be a threat to krist holdings and other protocols with secret keys. Even command computers are susceptible to the "idiot op with a pastebin link" exploit.

FoxData, on 16 June 2016 - 07:16 PM said:

What about normal programs that can be used for malicious purposes? Like them Packer sniffers that when used on servers like LurCraft - You can see what people are sending over rednet.

PS: There was a time when i found a server on LurCraft that had a program on it running that was meant to infect everyone's computer with a virus (I still have on Floppy disk and i might send it to you)

FoxData, on 16 June 2016 - 07:16 PM said:

What about normal programs that can be used for malicious purposes? Like them Packer sniffers that when used on servers like LurCraft - You can see what people are sending over rednet.

PS: There was a time when i found a server on LurCraft that had a program on it running that was meant to infect everyone's computer with a virus (I still have on Floppy disk and i might send it to you)

Anavrins, on 17 June 2016 - 09:15 PM said:

FoxData, on 16 June 2016 - 07:16 PM said:

What about normal programs that can be used for malicious purposes? Like them Packer sniffers that when used on servers like LurCraft - You can see what people are sending over rednet.

PS: There was a time when i found a server on LurCraft that had a program on it running that was meant to infect everyone's computer with a virus (I still have on Floppy disk and i might send it to you)

I, for one, did use a full-spectrum sniffer on Lurcraft. By itself, it doesn't allow hacking or virus infection since it's a passive system, it did allow me to detect attacks on other computers.
I wish people could see sniffers more as a debug tool rather than a weapon.

Anavrins, on 18 June 2016 - 09:34 PM said:

There are safe way to authenticate wirelessly, as well as multiple encryption algorithm available on the forums.
Example if a file sharing software simply send the files directly over modem, then it doesn't matter if someone can sniff it or not, the software is still vulnerable and at risk.

Both Krist and Craftmail uses http, not the in-game modems, so I don't know why that matters, at this point, only the server host can see these communications.

FoxData, on 19 June 2016 - 05:53 PM said:

Was IAMS created because of Fox Anti-virus?

Creator, on 18 June 2016 - 10:40 PM said:

I implemented the Diffie-Hellman key exchange. It works, but it is slow.

Anavrins, on 19 June 2016 - 05:58 PM said:

FoxData, on 19 June 2016 - 05:53 PM said:

Was IAMS created because of Fox Anti-virus?

What are you implying, there are hundreds of "anti-virus" on the forums.

Creator, on 18 June 2016 - 10:40 PM said:

I implemented the Diffie-Hellman key exchange. It works, but it is slow.

So did I, but it's not that useful, since D-H does not provide authenticity.

FoxData, on 15 July 2016 - 06:32 PM said:

Hello, Our company was recently attacked by a new type of virus.

Name: Cryptolocker
Type: Locking ransom ware that demands krist
Made by: Unknown

Link:

Please investigate this as i found it on all my computers.

Best regards: FoxData's CEO (olliegw)

KingofGamesYami, on 15 July 2016 - 06:47 PM said:

That's too complicated CloudNinja. Simply remove all modems from the computer - the virus will error on line 4, allowing you free access.

Cloud Ninja, on 15 July 2016 - 07:44 PM said:

KingofGamesYami, on 15 July 2016 - 06:47 PM said:

That's too complicated CloudNinja. Simply remove all modems from the computer - the virus will error on line 4, allowing you free access.

This is true as well lol.

H4X0RZ, on 15 July 2016 - 07:52 PM said:

Cloud Ninja, on 15 July 2016 - 07:44 PM said:

KingofGamesYami, on 15 July 2016 - 06:47 PM said:

That's too complicated CloudNinja. Simply remove all modems from the computer - the virus will error on line 4, allowing you free access.

This is true as well lol.

Also you actually can't disk-unlock it because it disables every setting xD

Cloud Ninja, on 15 July 2016 - 07:57 PM said:

H4X0RZ, on 15 July 2016 - 07:52 PM said:

Cloud Ninja, on 15 July 2016 - 07:44 PM said:

KingofGamesYami, on 15 July 2016 - 06:47 PM said:

That's too complicated CloudNinja. Simply remove all modems from the computer - the virus will error on line 4, allowing you free access.

This is true as well lol.

Also you actually can't disk-unlock it because it disables every setting xD

Yes you can. The code fox posted didnt block disk hijacks.

bauen1, on 15 July 2016 - 08:15 PM said:

Cloud Ninja, on 15 July 2016 - 07:57 PM said:

H4X0RZ, on 15 July 2016 - 07:52 PM said:

Cloud Ninja, on 15 July 2016 - 07:44 PM said:

KingofGamesYami, on 15 July 2016 - 06:47 PM said:

That's too complicated CloudNinja. Simply remove all modems from the computer - the virus will error on line 4, allowing you free access.

This is true as well lol.

Also you actually can't disk-unlock it because it disables every setting xD

Yes you can. The code fox posted didnt block disk hijacks.

It does on line 10 but you can (if you set a label) break the computer and put it in a drive and remove the startup

FoxData, on 15 July 2016 - 11:07 PM said:

Lur made the virus and messed all my stuff up. We traced back the krist address and it landed at lur. Lur even told us all his krist addresses.