How BugHunter Works; for those interested.

"Red Rufus" <Rufus_The_Red@here> wrote in
news:46b523f2$1@news.cuneo2lemon.net:

> Dustin Cook wrote:
>> BugHunter uses a proprietary checksum algorithm that I developed over
>> 14 years ago. In an effort to reduce scantime, BugHunter scans files
>> ONLY if they have a known filelength; IE: Known to BugHunter as
>> potentially being malicious. Once BugHunter takes a scan of the
>> suspect file, it gets two 32bit numbers in a specific order. If the
>> numbers match the record as well as the filelength in the correct
>> order, BugHunter considers it a valid match and looks the information
>> up to give it a more descriptive name, of course that depends on the
>> record having a matching description in one of the buginfo files.
>>
>>
>> I hope this will help with any questions you may have about what
>> BugHunter is, and what it is not. If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>>
>> Thanks for reading!
>
> No thanks required on account I'm not interested.

That's perfectly okay too. You were interested enough to bother wasting
your time to tell me your not interested. LoL. Good morning to you in
any event!


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin RemoveThis @gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested. 

"Andy Walker" <> wrote in message news:
> Russg wrote:
>
> >I didn't know the
> >difference between gophers and groundhogs.
> >Both are under ground living pests in people's yards.
>
> Not really. A groundhog spends most of its time above ground
> foraging. Gophers live mostly underground, but do come up for a bit
> of fresh air from time to time.
Peterson Field Guide to Mammals:
Gophers have a bare, ratlike, tail. Are smaller than
Ground Hogs. There are no gophers where I live.
Gophers are out west, some in Georgia to Florida.
There are ground hogs in Ohio, but no gophers.
Woodchucks have a bushy tail, not as big and bushy as a squirel.
 >> Stay informed about: How BugHunter Works; for those interested. 

Andy Walker wrote:
> Dustin Cook wrote:
>
>> If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>
> Ok, say I'm a malware writer and want to evade your program. It seems
> to me that all I have to do is pad a few kilobytes of garbage into my
> program and randomly modify the size every now an then. I could evade
> your program for a very long time under that scenario. Is that
> correct?

if you're willing to manually change your malware in that way on a
regular basis then yes you'd probably be able to evade bughunter - not
to mention a number of other products... zlob anyone?

if the algorithm for producing the transformations is known then the
complexity of detecting all forms is comparable to polymorphic (or
perhaps metamorphic depending on the complexity of the transformations)
detection...

if the algorithm is not known (server-side polymorphism) or if the
transformations are not algorithmic (manual transformation) then the
complexity is as yet unbounded and there's no good solution for it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: How BugHunter Works; for those interested. 

Andy Walker wrote:
[snip]
> I understand what your saying, but some scanners take into account
> other metrics like the existence of certain registry keys, or even the
> structure of supporting files used as databases for the malware. A
> complete deconstruction of the offending malware *could* produce
> enough information to snare all its variants. Heh! but then who's got
> the time...

a *complete* deconstruction of the malware (or any program, really)
falls outside the realm of computability as it is reducible to the
halting problem...

bearing that in mind, there is technology that approaches complete
deconstruction but it's not appropriate for productization because of
the level of expertise required to validate the results or tweak/guide
the process - it's usually used by av research labs to help automate the
processing of malware samples...

the more you dumb down the human requirements, the less complete the
deconstruction and the closer you get to heuristics...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: How BugHunter Works; for those interested. 

"Russg" <russgilb.DeleteThis@MUNGEsbcglobal.net> wrote in
news:%DRsi.12542$eY.8974@newssvr13.news.prodigy.net:

>
> "Dustin Cook" <> wrote in message news:
>> BugHunter uses a proprietary checksum algorithm that I developed over
>> 14 years ago. In an effort to reduce scantime, BugHunter scans files
>> ONLY if they have a known filelength; IE: Known to BugHunter as
>> potentially being malicious. Once BugHunter takes a scan of the
>> suspect file, it gets two 32bit numbers in a specific order. If the
>> numbers match the record as well as the filelength in the correct
>> order, BugHunter considers it a valid match and looks the information
>> up to give it a more descriptive name, of course that depends on the
>> record having a matching description in one of the buginfo files.
>>
>>
>> I hope this will help with any questions you may have about what
>> BugHunter is, and what it is not. If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>>
>> Thanks for reading!
>>
> Question comes to mind. Where do you get samples to get your ID CRC
> and length? Someone at one of the AV vendors?

Apologies for being a smartass about this question earlier. I acquire
suspected malware samples from a variety of sources. If you submit
samples to sites like

http://scanner.virus.org/
http://virusscan.jotti.org/
http://www.virustotal.com/

I will probably get them around the same time as everyone else in the
antimalware community does. Trust is an important issue obviously as
these are potentially dangerous executables. It's not a matter of a
person providing me samples, but the community itself. 4Q likes to claim
i'm untrustworthy, yet people on both sides of the fence trust me. It
doesn't make sense to anyone besides 4q in his paranoid state of mind.

Another method I do, as do many others, Is to surf with unsafe browsers
on sites that I know are not safe. I'm also into collecting screensavers,
and I'll even play user for a day and get things like kazaa and "trust"
the filenames are real, and infect my virtual workstation all day.

Another option is the bots and various trojans sent these days via email,
typically as a greeting card. I can't thank people enough for providing
spamsites my email address. They send the junk right to me, I don't even
have to look.

I also maintain various accounts on social networking sites, that will
glady accept unknown executables from anyone. Happily! It'll even accept
friends that are bots. LoL. It'll fall for anything that may result in an
infection of some kind.

I have bots that travel on irc, they accept dcc file sends from
strangers. Any strangers, send whatever junk you want.

I have bots monitor specific email addresses I have setup to capture
fresh samples.

I said something about shells remember? Well, this is all done mainly
using them. It's why 4Q's so pissed off. He has an idea of the bandwidth
and server cpu power I have access too, and i won't share. hehehehe.

Theres always a user who gets infected with something new, so they send
it along to me for analysis. I do my best to help them clear the issue up
over email, if I can. Since I test the little buggers in a virtual
environment where they can change whatever they like, but theyre going to
be leaving footprints while doing so. I also dissassemble them and take
notes for later. Most of the stuff is really pretty lousy programming. I
wrote some bad code back in the day myself, but these trojans/spybots etc
are really poorly written.

I suppose with so many executable variants of the same thing, they can
afford for it to work on some systems in a hit and miss fashion.

If you have any other serious questions, I'll try to answer them for you.

Have a good one!





--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin.DeleteThis@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested. 

I haven't dealt with a virus/trojan for a long time.
My question is general. BugHunter and other AV programs identify malicious
files, but don't get rid of them.
At least that's my experience with Klez, which was discovered because
ZoneAlarm caught it trying to phone home, and it was constantly accessing
the hard drive and really slowed the computer down. I had to find a Klez
removal tool.
Question:
After BugHunter finds a malware, what does it do to keep it from coming
back, clear out the registry and startup stuff, un-read only, system the
file, prevent system restore from re-inserting it? Or is it general
procedure, once a malware is found, search for a specific removal tool?
 >> Stay informed about: How BugHunter Works; for those interested. 

kurt wismer <kurtw.RemoveThis@sympatico.ca> wrote in news:f931q4$r8m$2
@registered.motzarella.org:

> Andy Walker wrote:
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>> monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>
> if you're willing to manually change your malware in that way on a
> regular basis then yes you'd probably be able to evade bughunter - not
> to mention a number of other products... zlob anyone?

Hi Kurt. Thanks for mentioning what should be obvious to anyone.

No offense Andy, but BugHunter can be beaten using the same tricks you'd
use on other products. It's not foolproof either.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin.RemoveThis@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested. 

kurt wismer <kurtw DeleteThis @sympatico.ca> wrote in news:f931pn$r8m$1
@registered.motzarella.org:

> Andy Walker wrote:
> [snip]
>> I understand what your saying, but some scanners take into account
>> other metrics like the existence of certain registry keys, or even the
>> structure of supporting files used as databases for the malware. A
>> complete deconstruction of the offending malware *could* produce
>> enough information to snare all its variants. Heh! but then who's got
>> the time...
>
> a *complete* deconstruction of the malware (or any program, really)
> falls outside the realm of computability as it is reducible to the
> halting problem...

Again, I want to thank you for stepping in and explaining the obvious.
BugHunter is not the only program which can be defeated using the tricks
Andy specified.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin DeleteThis @gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested. 

Dustin Cook wrote:

>BugHunter is not the only program which can be defeated using the tricks
>Andy specified.

And there are many programs that aren't as easy to defeat. I don't
need a lesson from any of you on how to defeat anti-malware programs.
I was just asking the question because you seemed to want to discuss
your programs capabilities, which are not all that impressive. That
said, I'm sure some people can use your program to help them clean
their system. I just don't see a commercial use for it in its present
state of development.
 >> Stay informed about: How BugHunter Works; for those interested. 

Andy Walker wrote:
> Dustin Cook wrote:
>
>> BugHunter is not the only program which can be defeated using the tricks
>> Andy specified.
>
> And there are many programs that aren't as easy to defeat. I don't
> need a lesson from any of you on how to defeat anti-malware programs.

you seem to have an agenda here... the weakness you pointed out is
shared by most anti-malware programs... only behaviour-based detectors
would be resistant to it...

> I was just asking the question because you seemed to want to discuss
> your programs capabilities, which are not all that impressive.

compared to those that have tens or hundreds of thousands of man-hours
worth of development in them, i suppose not...

> That
> said, I'm sure some people can use your program to help them clean
> their system. I just don't see a commercial use for it in its present
> state of development.

then it's a good thing it's free...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: How BugHunter Works; for those interested. 

Andy Walker <awalker.RemoveThis@nspank.invalid> wrote in news:46b61682.17853734
@news.webtv.com:

> Dustin Cook wrote:
>
>>BugHunter is not the only program which can be defeated using the
tricks
>>Andy specified.
>
> And there are many programs that aren't as easy to defeat. I don't
> need a lesson from any of you on how to defeat anti-malware programs.


Well, Andy, I wasn't trying to give you a lesson. So I suppose it's great
that you don't need one. As far as easy to beat is concerned, Any program
can be beaten, and none of them are immune from a targetted attack. I of
all people should know, I used to write such junk.

BugHunter isn't any harder/easier to evade than spybot, adaware and
various other programs are. The fact you think they are somehow magically
immune from what you propose for an attack only shows how ignorant you
actually are on the subject, so maybe you do need a lesson or two after
all.

> I was just asking the question because you seemed to want to discuss
> your programs capabilities, which are not all that impressive. That

My program doesn't have any less/more capabilities than most other file
based removal tools. It targets known files and lets you remove them if
you'd like. That's all I've said it does, and that's exactly what it
does. Whether or not this impresses you really doesn't concern me.

And despite what you might think, it does a reasonably well job of it
too! And you don't have to take my word for it.

> said, I'm sure some people can use your program to help them clean
> their system. I just don't see a commercial use for it in its present
> state of development.

I know for a fact it's used to clean systems. In commercial and non
commercial environments. People more knowledgable than yourself on the
subject don't seem to share your opinions.


Did you think I was trying to advertise it or something? Do you think I
wrote BugHunter to make money? If so, heres a short history lesson for
you. BugHunter was released almost 3 years ago for general use, In that
time, for the last 3 months a donate button has appeared on my site.
Obviously, money isn't the goal and never was. BugHunter doesn't mention
ANY donation options, doesn't beg you for anything, doesn't suggest or
otherwise mention paying for it. It's a completely free program which I
and many others think serves a useful purpose.

I'll take your opinions under consideration.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin.RemoveThis@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested. 

Dustin Cook wrote:

>I'll take your opinions under consideration.

I doubt very much that your arrogance would allow that.

Back to the bozo bin you go.
 >> Stay informed about: How BugHunter Works; for those interested. 

Andy Walker <awalker RemoveThis @nspank.invalid> wrote in news:46b620f0.20523234
@news.webtv.com:

> Dustin Cook wrote:
>
>>I'll take your opinions under consideration.
>
> I doubt very much that your arrogance would allow that.

I didn't think this was really about BugHunter...

> Back to the bozo bin you go.

I'm not insulted in the least Andy. Thanks.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin RemoveThis @gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 >> Stay informed about: How BugHunter Works; for those interested.