Main Page | Report Page

 

  Linux Forum Index » Linux Security » System Calls...

Author Message
perumal316...
Posted: Thu Jan 07, 2010 6:57 pm
 
Hi,

Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal
 
Wanna-Be Sys Admin...
Posted: Fri Jan 08, 2010 12:41 am
 
perumal316 wrote:

Quote:
Hi,

Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal

You can't know for sure, but usually you'd know by the location,
filename and what strings outputs, as well as what calls it's making
(assuming it's compiled), so it just depends, so yes and no. Pretty
much anything suspicious can easily be found out if it's legitimate or
not. If you own it or uploaded it, or if it's on a system with a user
you need to ask what it's doing and ensure they knew about it and see
if it's doing what it should or more than it should.
--
Not really a wanna-be, but I don't know everything.
 
Marc Stan...
Posted: Sat Jan 30, 2010 6:31 am
 
Quote:
Hi,

Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal
If i've understood your question there exists a project called REMUS hosted

on sourceforge; it monitors system calls made by 'dangerous' processes such
as daemons and, accordingly with a database of 'good behaviours'
(i.e. right parameters in syscalls ecc ecc), tells you weather a call is
malicious or not. Unfortunately it works only with 2.4 kernel...but if you
like you can always make a port.
Hope helped you.
Marc Stan
 
Karthik Balaguru...
Posted: Fri Mar 12, 2010 5:55 pm
 
On Jan 30, 9:31 pm, Marc Stan <marcellow... at (no spam) gmail.com> wrote:
Quote:
Hi,

Is there any way which I am tell whether an application is malicious
or not by looking at the system calls made by the application?

Thanks In Advance,
Perumal

If i've understood your question there exists a project called REMUS hosted
on sourceforge; it monitors system calls made by 'dangerous' processes such
as daemons and, accordingly with a database of 'good behaviours'
(i.e. right parameters in syscalls ecc ecc), tells you weather a call is
malicious or not. Unfortunately it works only with 2.4 kernel...but if you
like you can always make a port.

Coool ! Thats great Smile
I have been looking for a similar tool but for 2.6 kernel.
But, won't any open source virus scanner tools use this
trick too apart from other scanning tricks to contain
few malicious applications that make malicious calls ?
Is it not useful for virus scanner to use this methodology ?

Thx,
Karthik Balaguru
 
Bill Marcum...
Posted: Sat Mar 13, 2010 1:51 am
 
On 2010-03-13, Karthik Balaguru <karthikbalaguru79 at (no spam) gmail.com> wrote:
Quote:
Coool ! Thats great Smile
I have been looking for a similar tool but for 2.6 kernel.
But, won't any open source virus scanner tools use this
trick too apart from other scanning tricks to contain
few malicious applications that make malicious calls ?
Is it not useful for virus scanner to use this methodology ?

Thx,
Karthik Balaguru

Most virus scanners that run under Linux are used to scan for viruses that
attack Windows.
 
...
Posted: Sat Mar 13, 2010 6:35 pm
 
And verily, didst Karthik Balaguru <karthikbalaguru79 at (no spam) gmail.com> hastily babble thusly:
Quote:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

No, it means the virus scanners don't scan running processes.
They scan files on hard disk and in e-mails/other network related stuff that
are destined for transfer to windows based networks/machines... and then
quarantine anything that matches a virus profile.

--
| spike1 at (no spam) freenet.co.uk | "I'm alive!!! I can touch! I can taste! |
| Andrew Halliwell BSc | I can SMELL!!! KRYTEN!!! Unpack Rachel and |
| in | get out the puncture repair kit!" |
| Computer Science | Arnold Judas Rimmer- Red Dwarf |
 
David H. Lipman...
Posted: Sat Mar 13, 2010 8:08 pm
 
From: <spike1 at (no spam) freenet.co.uk>

| And verily, didst Karthik Balaguru <karthikbalaguru79 at (no spam) gmail.com> hastily babble thusly:
Quote:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Karthik Balaguru...
Posted: Sun Mar 14, 2010 3:57 am
 
On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp... at (no spam) Verizon.Net>
wrote:
Quote:
From: <spi... at (no spam) freenet.co.uk

| And verily, didst Karthik Balaguru <karthikbalagur... at (no spam) gmail.com> hastily babble thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Thx in advans,
Karthik Balaguru
 
David H. Lipman...
Posted: Sun Mar 14, 2010 10:28 am
 
From: "Karthik Balaguru" <karthikbalaguru79 at (no spam) gmail.com>

| On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp... at (no spam) Verizon.Net>
| wrote:
Quote:
From: <spi... at (no spam) freenet.co.uk

| And verily, didst Karthik Balaguru <karthikbalagur... at (no spam) gmail.com> hastily babble
thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


| Interesting. So, does McAfee also check for malicious calls from
| malicious applications ?

| But, i think McAfee is not an opensource software.So,
| any other open source virus scanner that supports the
| feature of checking the malicious calls from malicious
| applications ?

| Thx in advans,
| Karthik Balaguru


Define: "malicious calls"

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Matt Giwer...
Posted: Mon Mar 15, 2010 12:43 am
 
On 03/14/2010 09:57 AM, Karthik Balaguru wrote:
Quote:
On Mar 14, 6:08 am, "David H. Lipman"<DLipman~nosp... at (no spam) Verizon.Net
wrote:
From:<spi... at (no spam) freenet.co.uk
| And verily, didst Karthik Balaguru<karthikbalagur... at (no spam) gmail.com> hastily babble thusly:
[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?
| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related stuff that
| are destined for transfer to windows based networks/machines... and then
| quarantine anything that matches a virus profile.

McAfee scans running processes.

Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Last I heard, McAfee looks at discovered viruses, finds patterns in them and
then scans for that pattern. This works as once a new nasty exploit is
discovered it spreads with minor changes around the core exploit like which IP
to go to for instructions.

I have not heard of anyone being able to predetermine what to scan for in
applications as something one does not want. Were that the case, all
formatting programs are trojans and all updating software are making
unauthorized calls to MS or yum repositories.

--
Before the Gaza massacre Israel was given the benefit of the doubt.
With Gaza Israel removed all doubt.
-- The Iron Webmaster, 4237
http://www.giwersworld.org/antisem/ Antisemitism a10
Mon Mar 15 02:37:47 EDT 2010
 
FromTheRafters...
Posted: Mon Mar 15, 2010 6:01 am
 
"Karthik Balaguru" <karthikbalaguru79 at (no spam) gmail.com> wrote in message
news:4ddd456e-dd1c-4e5c-8d14-6a1d2dbf3f6b at (no spam) l12g2000prg.googlegroups.com...
On Mar 14, 6:08 am, "David H. Lipman" <DLipman~nosp... at (no spam) Verizon.Net>
wrote:
Quote:
From: <spi... at (no spam) freenet.co.uk

| And verily, didst Karthik Balaguru <karthikbalagur... at (no spam) gmail.com
hastily babble thusly:

[Karthik Balaguru]
So, does it imply that the virus scanners check for
malicious system calls from malicious applications
in Windows ? Are there any opensource implementation
of those virus scanners that check for malicious
system calls from certain applications in Windows ?

| No, it means the virus scanners don't scan running processes.
| They scan files on hard disk and in e-mails/other network related
stuff that
| are destined for transfer to windows based networks/machines... and
then
| quarantine anything that matches a virus profile.

McAfee scans running processes.


Interesting. So, does McAfee also check for malicious calls from
malicious applications ?

But, i think McAfee is not an opensource software.So,
any other open source virus scanner that supports the
feature of checking the malicious calls from malicious
applications ?

Readers of this thread might also find this interesting:
http://vx.netlux.org/lib/afc08.html
 
FromTheRafters...
Posted: Tue Mar 16, 2010 6:09 am
 
"Karthik Balaguru" <karthikbalaguru79 at (no spam) gmail.com> wrote in message
news:29fb3a70-3eae-4d12-ab20-dbc3b0f4a201 at (no spam) b36g2000pri.googlegroups.com...

I think, REMUS(Kernel module for Linux) helps in identification of
the incorrect parameters, access rights by interaction with the
AccessControl Database managed by the sysctl command,
but not sure if it would be help in identifying whether the system
calls have been tweaked.

***
It looks for suspicious activity regarding programs using legitimate
calls in a suspicious (possibly malicious) manner. Some attack patterns
are known to use certain combinations of calls, any program using that
certain combination of calls will be suspect. The calls themselves are
not malicious. See
http://www.pdf-tube.com/download/ebook/REMUS:%20A%20Security-Enhanced%20Operating%20System/aHR0cDovL3d3dy5kc2kudW5pcm9tYTEuaXQvU2ljdXJlenphL2RvYy9yZW11cy5wZGY
***
 
David H. Lipman...
Posted: Tue Mar 16, 2010 3:10 pm
 
From: <spike1 at (no spam) freenet.co.uk>


Quote:
McAfee scans running processes.

| McAfee wuns on linux now?

http://www.mcafee.com/us/enterprise/products/system_security/servers/linuxshield.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Karthik Balaguru...
Posted: Wed Mar 17, 2010 3:27 pm
 
On Mar 17, 2:10 am, "David H. Lipman" <DLipman~nosp... at (no spam) Verizon.Net>
wrote:
Quote:
From: <spi... at (no spam) freenet.co.uk

McAfee scans running processes.

| McAfee wuns on linux now?

http://www.mcafee.com/us/enterprise/products/system_security/servers/...


But, it is not opensource :-(

Karthik Balaguru
 
FromTheRafters...
Posted: Wed Mar 17, 2010 8:02 pm
 
"Karthik Balaguru" <karthikbalaguru79 at (no spam) gmail.com> wrote in message
news:8c6fb9df-042a-42b4-90f0-1a69d909700b at (no spam) h35g2000pri.googlegroups.com...
On Mar 17, 6:46 am, "FromTheRafters" <erra... at (no spam) nomail.afraid.org>
wrote:

Quote:
***
It might be worth pondering that viruses, in particular, don't
generally
need to exploit software flaws. REMUS seems to be a good enhancement
for
the OS, but AV has (or had) a different goal.
***

Interesting to know that generally viruses do not exploit this flaw.

***
Or rather, that they don't *need* to exploit *any* flaw. REMUS helps
protect the OS from privilege escalation attacks against software flaws.
***
 
 
Page 1 of 2    Goto page 1, 2  Next
All times are GMT - 5 Hours
The time now is Sat Aug 23, 2014 10:21 am