This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
minebuild02's profile picture

BLAST AntiMalware Suite - 'Yet another' string.find antivirus

Started by minebuild02, 02 August 2016 - 03:16 PM
minebuild02 #1
Posted 02 August 2016 - 05:16 PM
The BLAST AntiMalware Suite is an innovation in the field of CC antimalware programs.


Features of the On-Demand Scanner:

3 modes of scanning: Choose between 3 databases - standard signature analysis, behavioural (scans for generic functions/code statements) signature analysis or the URL finder algorithm.

An extensive database: A (somewhat) lot of time spent to scavenge the ComputerCraft malware, categorize it and choose the signatures to input.

An extensive classification system: Depending on a malicious program's behaviour, it is classified as a Virus, a Worm or as a program of another category.

A large help page, detailing all the algorithms and parameters used by the program, as well as explaining the classification.


Features of the Real-Time Security Driver:

Startup file protection: Reroutes the filesystem to deny write access to startup file.

Real-time detection: Detects malicious code loaded as Lua chunks.

Network screen: Reroutes the HTTP API to disable downloading of known malicious programs.



Changelog:

v1.0 | Release | Initial (no changes): Initial release

v1.1 | Update | Bugfix (Requested): Fixed some signatures, should be able to work on 1.6+ without errors now

v1.2 | Release | New package released: Released the Real-Time Security driver!

v1.3 | Update | CRITICAL: Fixed a huge bug, added 1 signature

v1.4 | Release | New package released: Released the installer!

v1.5 | Update | New feature: More functions are now scanned by the RTS driver

v1.6 | Update | Bugfix (Requested): Fixed a bug in RTS' loadfile function



About the RTS driver:

Basically it is a program that modifies the global environment with it's own functions.

They do not let programs modify the startup file, and scan the Lua chunks loaded into a program to find a virus.

Also it includes a firewall of some kind that prevents viruses from being downloaded.


Planned features:

Sandboxing - currently WIP, will be released as a separate program

Checksums - will be provided in 2.0 or possibly earlier

Trusted programs/false positives list - planned to be added sometime soon


Download now!

Installer: pastebin get tp9yYxgV installer

Run the installer without arguments to get help.

Made by minebuild02. Contributed to and beta-tested by RyuuMasatoKai.
Edited on 12 August 2016 - 09:11 AM
HDeffo #2
Posted 02 August 2016 - 05:25 PM
Well since someone is actually attempting to make a solid antimalware (regardless of how useful that actually is) a few comments

1) have your program scan for potential "avoidence" code and chop it out before scanning e.g. os.pullEvent = os["pullEvent".."Raw"]

2) on that note your program should also remove all extra characters from a scan e.g. spaces and semi colons

3) instead of scanning for exact matches first compare checksums then use a custom function for variable scans e.g. this file is 87% similar to a known virus

4) you also need a method for users to either trust or distrust programs this will add to your database and help give programs you don't need to do a full comprehensive scan on if enough people trust it
minebuild02 #3
Posted 02 August 2016 - 05:28 PM
Well since someone is actually attempting to make a solid antimalware (regardless of how useful that actually is) a few comments

1) have your program scan for potential "avoidence" code and chop it out before scanning e.g. os.pullEvent = os["pullEvent".."Raw"]

2) on that note your program should also remove all extra characters from a scan e.g. spaces and semi colons

3) instead of scanning for exact matches first compare checksums then use a custom function for variable scans e.g. this file is 87% similar to a known virus

4) you also need a method for users to either trust or distrust programs this will add to your database and help give programs you don't need to do a full comprehensive scan on if enough people trust it

Thanks for suggestions. Yes, I am trying to make a real antivirus. And I'm thinking about a true behavioural analysis algorithm (sandboxing).
Edited on 02 August 2016 - 03:28 PM
Cloud Ninja #4
Posted 02 August 2016 - 07:46 PM
When i run it, i get the error on line 178: nesting of [[…]] is deprecated.
minebuild02 #5
Posted 03 August 2016 - 12:38 PM
When i run it, i get the error on line 178: nesting of [[…]] is deprecated.
Noted. This is an error in some of the signatures, ROS AM was made on CraftOS 1.5. The database will be reviewed and the signatures will be replaced
Version 1.1 fixing this bug is now out!
Edited on 03 August 2016 - 10:44 AM
HDeffo #6
Posted 05 August 2016 - 02:50 AM
You might also want to add a section that checks for old exploits as well as one's which could eventually be exploits most relevant of which i can think of would be


virus = function(t,k)
   if k=="gsub" and not hacked then
      --run code here
   end
   return string[k]()
end
getmetatable("").index = virus

In old versions this would infect any computer that turned on (I left an important part out so no one can just copy it).To check something like that in the past you simply needed to run


string.dump( ("").gsub ) == "gsub"
True means it's not hacked. But now if anyone did hijack the string functions a check like that would result in an error on a good system so you would need to wrap it in a pcall. To clean the system you run


getmetatable("").index = string

Change the first part to whatever the entry point is in that version. I refer to the string metatable only because as far as I have seen that's the only vulnerability that CC has had pop up several times and which could again. Gsub is run within the bios so that's usually the entry point for any viruses of that nature I've seen
minebuild02 #7
Posted 05 August 2016 - 10:37 AM
–snip–
Will think of that. Could you send the full code to me in a PM so I could review and classify it?
EDIT: Latest version of CC prevents access to the string metatable.
Edited on 05 August 2016 - 08:45 AM
Piorjade #8
Posted 05 August 2016 - 11:13 AM
I really would like to include that in my OS, which will soon get movable windows.

It will probably be pre-installed so users are able to delete it.

The question is if you want me to do this and if yes, if this really is useful/stable at this state?
HDeffo #9
Posted 05 August 2016 - 01:10 PM
Yeah the latest version has it blocked however it didn't use to be and prior to that there were other various ways of getting to it. Honestly, I'm fully expecting it to be exposed somehow again in a future version by accident
minebuild02 #10
Posted 06 August 2016 - 05:04 PM
I really would like to include that in my OS, which will soon get movable windows.

It will probably be pre-installed so users are able to delete it.

The question is if you want me to do this and if yes, if this really is useful/stable at this state?

Yes, it is stable and useful. Do it!

Yeah the latest version has it blocked however it didn't use to be and prior to that there were other various ways of getting to it. Honestly, I'm fully expecting it to be exposed somehow again in a future version by accident

I'll think of something, but the fix gives me a VM error in the emulator
minebuild02 #11
Posted 06 August 2016 - 06:19 PM
ReactOS AntiMalware is now supplemented by a RTS driver! Just run it once per boot. As always I'm open to suggestions.
Edited on 06 August 2016 - 04:20 PM
minebuild02 #12
Posted 07 August 2016 - 10:25 AM
1.4 of the Suite is now out! It now has a unified installer!
Also I have fixed a huge bug in one of the signatures that caused any file to be detected as a dropper of one of the viruses, and added a ransomware signature.
Oh, and 1.5 is already out. Checksums are on their way…
Edited on 07 August 2016 - 08:40 AM
FoxData #13
Posted 07 August 2016 - 06:06 PM
ReactOS is a free OS that looks like Windows.
minebuild02 #14
Posted 07 August 2016 - 07:46 PM
ReactOS is a free OS that looks like Windows.
I know… It's a temporary name. Will be renamed soon to resolve copyright issues
Renamed.
Edited on 08 August 2016 - 08:09 AM
Piorjade #15
Posted 09 August 2016 - 11:25 PM
K I got windows working 'n stuff (they work in the background too but have to be minimized first)… the only thing is if this works completely safe, so I'm going to test this before even releasing the new version of my OS :D/>/>
Btw it definitely will be a standalone program, which can be deleted by the user. I have 2 reasons for that:
- You say you'll create your own OS which will include your program
- Maybe people don't want to have it installed, so they easily can delete it
And here a quick preview of the window system:
Spoiler[attachment=2638:TwoProgramsAndOneInBackground.PNG]
[attachment=2639:FirewolfInTheBackground.PNG]
Edited on 09 August 2016 - 09:28 PM
Piorjade #16
Posted 09 August 2016 - 11:56 PM
Ok here is my testing result:
Using RTS in the shell leads to crashing everywhere (no matter what I do, it says this: rts:335: attempt to concatenate nil and string (2 times) and then the OS shuts down)

Then I wrote a sample code (I don't know if that's marked as a virus :/):


os.pullEvent = os.pullEventRaw
while true do
  S = ""
  for i=1, 50 do
    S = S..math.random(0,1)
  end
  write(S)
  sleep(0)
end

And used scan on it:

Using "behaviour" = Checking /tst
scan:386: unfinished capture
Using "link" = Checking /tst
File is clean!
Using "def" = (Same as above)

So I'd say if you fix the RTS (if you can), I'd "inject" it into the shell app, which first loads the RTS and then shell.

Or if you'd fix scan(behaviour), I'd include it as a standalone application, which the user can execute and check a downloaded file (this would be extremely useful because many people like to use Firewolf and I made a browser myself, which will be released soon and included in my OS)
Gorzoid #17
Posted 12 August 2016 - 02:00 AM
One thing you may want to try out is compiling the virus with loadstring then string.dump'ing the function into a compiled dump containing all strings, all the code etc. This means that syntax obfuscation means is virtually useless because the lua compiler removes it all. Take a look at my unfinished bytecode library I posted if you want to see how you can read lua dumps(yes I know it's very big, if cc used lua5.3 I could do it all using string.pack
minebuild02 #18
Posted 12 August 2016 - 11:04 AM
Ok here is my testing result:
Using RTS in the shell leads to crashing everywhere (no matter what I do, it says this: rts:335: attempt to concatenate nil and string (2 times) and then the OS shuts down)

Then I wrote a sample code (I don't know if that's marked as a virus :/):


os.pullEvent = os.pullEventRaw
while true do
  S = ""
  for i=1, 50 do
	S = S..math.random(0,1)
  end
  write(S)
  sleep(0)
end

And used scan on it:

Using "behaviour" = Checking /tst
scan:386: unfinished capture
Using "link" = Checking /tst
File is clean!
Using "def" = (Same as above)

So I'd say if you fix the RTS (if you can), I'd "inject" it into the shell app, which first loads the RTS and then shell.

Or if you'd fix scan(behaviour), I'd include it as a standalone application, which the user can execute and check a downloaded file (this would be extremely useful because many people like to use Firewolf and I made a browser myself, which will be released soon and included in my OS)
I'll begin work immediately
minebuild02 #19
Posted 12 August 2016 - 11:09 AM
1.6 is out, scan will be updated soon
minebuild02 #20
Posted 21 August 2016 - 10:14 AM
Have no way to fix the behavioural scanner for now. Definitions will be updated
Luca_S #21
Posted 26 August 2016 - 10:02 PM
It detects itself(Worm.Deleter.a) because of local ignore={disk=true,rom=true}
Wtf this can't be right….

Also it doesn't detect fs.delete("*") as a virus?
MKlegoman357 #22
Posted 28 August 2016 - 09:48 PM
Also it doesn't detect fs.delete("*") as a virus?

That doesn't work, all fs functions (with the exception of fs.find()) don't handle wildcards. But shell.run("rm *") would probably be dangerous.
manu_03 #23
Posted 28 August 2016 - 10:19 PM
You could scan the file for the HTTP API. For example, running the code from mysite.com/myfile where myfile is a virus.
manu_03 #24
Posted 28 August 2016 - 10:25 PM
Somewhere in the past I saw a program that encrypts your code to make it hidden. A virus maker could use it to avoid string.find warnings. You should start working on a sandbox mode that replaces most of unsafe functions to function()end and makes a log with the performed actions
minebuild02 #25
Posted 05 September 2016 - 02:29 PM
It detects itself(Worm.Deleter.a) because of local ignore={disk=true,rom=true}
Wtf this can't be right….

Also it doesn't detect fs.delete("*") as a virus?
It does detect itself, yes.
You could scan the file for the HTTP API. For example, running the code from mysite.com/myfile where myfile is a virus.
The RTS driver has a firewall feature, it scans for access to dangerous files
Somewhere in the past I saw a program that encrypts your code to make it hidden. A virus maker could use it to avoid string.find warnings. You should start working on a sandbox mode that replaces most of unsafe functions to function()end and makes a log with the performed actions
PM me with any known code signatures