I have been into Cybersecurity industry for about 4 years now. And one commmon similarities that I had undertake is the fact that by using all antimalware tools, there are still malicious particle invading the system without itself knowing that its being infiltrated. The 'antibody' on the system is nowhere to be seen and what could be the reason of these?
a. Fact that the AV on host, does not have the signature to detect the malware to be malicious.
b. Fact that the AV signature is not updated.
c. And last but obviously not the least, is the presence of 0-day exploit.
Two out of three of those reasons, have both similarities. And that's the presence of the word 'signature'. AVs has its own repository of hashes that are malicious, it will typically conduct its scan for any possible threat dropped on the host. As it continues its scan, it will check if the binary object's hash( or by any indications as of this matter) is in it's malware database. If the scanned file is on its malware repository, file is considered to be malicious. If not, file is safe/clean. But as I've mentioned, AV has its own repository. This only means that they have their own signature or point of views on a certain binary. With that in mind, we are in a dilemma here! With the AV we have, malware identity would only depent on the malware database that such antimalware has.
Virustotal have done a great job on being the center repository of malware signatures for the majority of the malware detection engines. Been using the site for years, and that's where some portions of my malware hunt and investigations came from. With the setting of detection ratio a certain suspicious contain, the feautures of the file and some additional infos about it, plus the community's comment about the detection has done a great job. BUT, what happened to these non detecting malware engine
Let's take an instance on the detected file below,
File maliciousdoc1.doc, a malware that could be 90% coming from a phish mail, only has a detection ratio of 2/55!Seriously two out of 55?! What happened to the other 53 engine? What if the engine you're using belongs to the 53? You're host is now surely compromise my fella!
What if there's an engine or scanner who can resolve this problem? A scanner that will scan on host, that will be based on a repository same as with Virustotal. That give's me an idea to create. I developed a lightweight scanner that would do such task.
Gentlemen, I introduced you to Tesla!
Features
>Interface - I have patterned the interface to Spyder, my threat intel application. This is a commandline interface, where I assigned the command to assists you with the functionalities.
> Virus repository was based on virushare.com a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code. Signature will always be updated every seconds, as long as Tesla is running on the background.
>Can perform scheduled scan on the desired location or the entire host.
>User are prompted to update the AV host's database. Thus, user update the repository by going to settings then update.
>Application can run offline, by that you can still scan on the entire host even without the internet.
>Once validated that file is malicious, it will be deleted.
I am going to cut the discussion right here. On my next post I'll provide you the walkthrough and some features of what this application can do.
Bye for now, and enjoy your day! =)
<krontek>exit
Comments