8 ответов в этой теме

[kallisti5]

There are quite a few Linux / UNIX exploits and rootkits out there, it would be nice if Dr.Web searched for these.

Examples:

http://seclists.org/fulldisclosure/2010/Sep/268 ( the recent 64-bit/32 linux kernel exploit ) (tested, not picked up by Dr. Web)

http://www.rootkit.nl/projects/rootkit_hunter.html ( root kit detection )

http://www.chkrootkit.org/ ( root kit detection )


If these features were introduced I would definitely buy a license.

Thanks!

Сообщение было изменено kallisti5: 21 Сентябрь 2010 - 18:29

[v.martyanov]

Did you test a page http://seclists.org/fulldisclosure/2010/Sep/268 or a compiled exploit?

[kallisti5]

Did you test a page http://seclists.org/fulldisclosure/2010/Sep/268 or a compiled exploit?

I compiled the C on a 32-bit machine via gcc and moved it over to a 64-bit system.

Neither the C sources nor the binary were picked up.

[v.martyanov]

Do you know, what on another PC with another compiler you'll get another binary file?

[kallisti5]

Do you know, what on another PC with another compiler you'll get another binary file?

I compiled it on another 32-bit system at work and Dr.Web didn't pick it up either. I tried scanning the 32-bit compiled binary on a 32 and 64 bit dr.web install without success (well, without detection)


alex@A02:~/Downloads$ gcc abftw.c -o abftw.bin
alex@A02:~/Downloads$ md5sum abftw.bin
74043168bfa8892cb7493fd120e4ddb9 abftw.bin
alex@A02:~/Downloads$ file abftw.bin
abftw.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped

alex@A02:~/Downloads$ drweb abftw.*
Dr.Web ® Scanner for Linux v6.0.0.0
Copyright © Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
Report dated 2010-09-21, 10:43:52
Command line: abftw.bin abftw.c
Shell version: 5.0.0.02020 <API:2.2>
Engine version: 5.0.1.12222 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 3805
Loading /var/drweb/bases/drwdaily.vdb - Ok, virus records: 9806
Loading /var/drweb/bases/drw50016.vdb - Ok, virus records: 16298
Loading /var/drweb/bases/drw50015.vdb - Ok, virus records: 19357
Loading /var/drweb/bases/drw50014.vdb - Ok, virus records: 18381
Loading /var/drweb/bases/drw50013.vdb - Ok, virus records: 19562
Loading /var/drweb/bases/drw50012.vdb - Ok, virus records: 27102
Loading /var/drweb/bases/drw50011.vdb - Ok, virus records: 21223
Loading /var/drweb/bases/drw50010.vdb - Ok, virus records: 26228
Loading /var/drweb/bases/drw50009.vdb - Ok, virus records: 23251
Loading /var/drweb/bases/drw50008.vdb - Ok, virus records: 14982
Loading /var/drweb/bases/drw50007.vdb - Ok, virus records: 17748
Loading /var/drweb/bases/drw50006.vdb - Ok, virus records: 18725
Loading /var/drweb/bases/drw50005.vdb - Ok, virus records: 18429
Loading /var/drweb/bases/drw50004.vdb - Ok, virus records: 872
Loading /var/drweb/bases/drw50003.vdb - Ok, virus records: 142240
Loading /var/drweb/bases/drw50002.vdb - Ok, virus records: 66726
Loading /var/drweb/bases/drw50001.vdb - Ok, virus records: 24512
Loading /var/drweb/bases/drw50000.vdb - Ok, virus records: 82762
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 514157
Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 882
Loading /var/drweb/bases/dwr50003.vdb - Ok, virus records: 2091
Loading /var/drweb/bases/dwr50002.vdb - Ok, virus records: 1569
Loading /var/drweb/bases/dwr50001.vdb - Ok, virus records: 1834
Loading /var/drweb/bases/dwntoday.vdb - Ok, virus records: 908
Loading /var/drweb/bases/dwn50007.vdb - Ok, virus records: 2312
Loading /var/drweb/bases/dwn50006.vdb - Ok, virus records: 3006
Loading /var/drweb/bases/dwn50005.vdb - Ok, virus records: 2146
Loading /var/drweb/bases/dwn50004.vdb - Ok, virus records: 1714
Loading /var/drweb/bases/dwn50003.vdb - Ok, virus records: 2095
Loading /var/drweb/bases/dwn50002.vdb - Ok, virus records: 2715
Loading /var/drweb/bases/dwn50001.vdb - Ok, virus records: 2545
Loading /var/drweb/bases/dwn50000.vdb - Ok, virus records: 2801
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 6197
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 28348
Total virus records: 1147329
Key file: /opt/drweb/drweb32.key
License key number: XXXX
License key activates: 2010-09-20
License key expires: 2010-10-20
/home/alex/Downloads/abftw.bin - Ok
/home/alex/Downloads/abftw.c - Ok
Scan report for: abftw.bin abftw.c
Scanned: 2 Cured: 0
Infected: 0 Deleted: 0
Modifications: 0 Renamed: 0
Suspicious: 0 Moved: 0
Adware: 0 Ignored: 0
Dialer: 0
Joke: 0 Scan time: 0:00:00
Riskware: 0 Scan speed: 45 Kb/s
Hacktool: 0 Scan speed: 45 Kb/s

[pig]

You should obtain actual virus definition bases first.

[kallisti5]

You should obtain actual virus definition bases first.

do what now?

[pig]

Run update.pl? Sorry, I don't know what kind of Dr.Web product you use. I can only see old virus finding engine and very old (near March 15) bases.

[kallisti5]

Run update.pl? Sorry, I don't know what kind of Dr.Web product you use. I can only see old virus finding engine and very old (near March 15) bases.

Ran update.pl, Engine is a little newer, same result however...

alex@A02:/opt/drweb$ sudo /opt/drweb/update.pl
alex@A02:/opt/drweb$ echo $?
0


alex@A02:/opt/drweb$ ./drweb ~/Downloads/abftw.*
Dr.Web ® Scanner for Linux v6.0.0.0
Copyright © Igor Daniloff, 1992-2009
Doctor Web, Moscow, Russia
Support service: http://support.drweb.com
To purchase: http://buy.drweb.com
Report dated 2010-09-21, 16:36:28
Command line: /home/alex/Downloads/abftw.bin /home/alex/Downloads/abftw.c
Shell version: 5.0.0.02020 <API:2.2>
Engine version: 5.0.2.3300 <API:2.2>
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 343
Loading /var/drweb/bases/drwdaily.vdb - Ok, virus records: 2097
Loading /var/drweb/bases/drw50043.vdb - Ok, virus records: 8957
Loading /var/drweb/bases/drw50042.vdb - Ok, virus records: 11015
Loading /var/drweb/bases/drw50041.vdb - Ok, virus records: 11168
Loading /var/drweb/bases/drw50040.vdb - Ok, virus records: 7798
Loading /var/drweb/bases/drw50039.vdb - Ok, virus records: 7873
Loading /var/drweb/bases/drw50038.vdb - Ok, virus records: 6904
Loading /var/drweb/bases/drw50037.vdb - Ok, virus records: 6503
Loading /var/drweb/bases/drw50036.vdb - Ok, virus records: 9823
Loading /var/drweb/bases/drw50035.vdb - Ok, virus records: 7572
Loading /var/drweb/bases/drw50034.vdb - Ok, virus records: 6996
Loading /var/drweb/bases/drw50033.vdb - Ok, virus records: 16360
Loading /var/drweb/bases/drw50032.vdb - Ok, virus records: 29168
Loading /var/drweb/bases/drw50031.vdb - Ok, virus records: 34202
Loading /var/drweb/bases/drw50030.vdb - Ok, virus records: 28292
Loading /var/drweb/bases/drw50029.vdb - Ok, virus records: 27164
Loading /var/drweb/bases/drw50028.vdb - Ok, virus records: 25131
Loading /var/drweb/bases/drw50027.vdb - Ok, virus records: 31464
Loading /var/drweb/bases/drw50026.vdb - Ok, virus records: 18281
Loading /var/drweb/bases/drw50025.vdb - Ok, virus records: 18009
Loading /var/drweb/bases/drw50024.vdb - Ok, virus records: 24685
Loading /var/drweb/bases/drw50023.vdb - Ok, virus records: 13651
Loading /var/drweb/bases/drw50022.vdb - Ok, virus records: 16025
Loading /var/drweb/bases/drw50021.vdb - Ok, virus records: 15644
Loading /var/drweb/bases/drw50020.vdb - Ok, virus records: 23265
Loading /var/drweb/bases/drw50019.vdb - Ok, virus records: 23135
Loading /var/drweb/bases/drw50018.vdb - Ok, virus records: 20510
Loading /var/drweb/bases/drw50017.vdb - Ok, virus records: 25475
Loading /var/drweb/bases/drw50016.vdb - Ok, virus records: 16298
Loading /var/drweb/bases/drw50015.vdb - Ok, virus records: 19357
Loading /var/drweb/bases/drw50014.vdb - Ok, virus records: 18381
Loading /var/drweb/bases/drw50013.vdb - Ok, virus records: 19562
Loading /var/drweb/bases/drw50012.vdb - Ok, virus records: 27102
Loading /var/drweb/bases/drw50011.vdb - Ok, virus records: 21223
Loading /var/drweb/bases/drw50010.vdb - Ok, virus records: 24847
Loading /var/drweb/bases/drw50009.vdb - Ok, virus records: 23251
Loading /var/drweb/bases/drw50008.vdb - Ok, virus records: 14982
Loading /var/drweb/bases/drw50007.vdb - Ok, virus records: 16817
Loading /var/drweb/bases/drw50006.vdb - Ok, virus records: 18725
Loading /var/drweb/bases/drw50005.vdb - Ok, virus records: 18429
Loading /var/drweb/bases/drw50004.vdb - Ok, virus records: 6225
Loading /var/drweb/bases/drw50003.vdb - Ok, virus records: 142240
Loading /var/drweb/bases/drw50002.vdb - Ok, virus records: 66726
Loading /var/drweb/bases/drw50001.vdb - Ok, virus records: 24512
Loading /var/drweb/bases/drw50000.vdb - Ok, virus records: 82762
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 508543
Loading /var/drweb/bases/dwrtoday.vdb - Ok, virus records: 1159
Loading /var/drweb/bases/dwr50008.vdb - Ok, virus records: 1959
Loading /var/drweb/bases/dwr50007.vdb - Ok, virus records: 2033
Loading /var/drweb/bases/dwr50006.vdb - Ok, virus records: 1812
Loading /var/drweb/bases/dwr50005.vdb - Ok, virus records: 1738
Loading /var/drweb/bases/dwr50004.vdb - Ok, virus records: 1885
Loading /var/drweb/bases/dwr50003.vdb - Ok, virus records: 2091
Loading /var/drweb/bases/dwr50002.vdb - Ok, virus records: 1569
Loading /var/drweb/bases/dwr50001.vdb - Ok, virus records: 1834
Loading /var/drweb/bases/dwntoday.vdb - Ok, virus records: 1028
Loading /var/drweb/bases/dwn50019.vdb - Ok, virus records: 1614
Loading /var/drweb/bases/dwn50018.vdb - Ok, virus records: 2297
Loading /var/drweb/bases/dwn50017.vdb - Ok, virus records: 2110
Loading /var/drweb/bases/dwn50016.vdb - Ok, virus records: 2007
Loading /var/drweb/bases/dwn50015.vdb - Ok, virus records: 2370
Loading /var/drweb/bases/dwn50014.vdb - Ok, virus records: 2241
Loading /var/drweb/bases/dwn50013.vdb - Ok, virus records: 2596
Loading /var/drweb/bases/dwn50012.vdb - Ok, virus records: 2024
Loading /var/drweb/bases/dwn50011.vdb - Ok, virus records: 1609
Loading /var/drweb/bases/dwn50010.vdb - Ok, virus records: 1471
Loading /var/drweb/bases/dwn50009.vdb - Ok, virus records: 1445
Loading /var/drweb/bases/dwn50008.vdb - Ok, virus records: 1895
Loading /var/drweb/bases/dwn50007.vdb - Ok, virus records: 2312
Loading /var/drweb/bases/dwn50006.vdb - Ok, virus records: 3006
Loading /var/drweb/bases/dwn50005.vdb - Ok, virus records: 2146
Loading /var/drweb/bases/dwn50004.vdb - Ok, virus records: 1714
Loading /var/drweb/bases/dwn50003.vdb - Ok, virus records: 2095
Loading /var/drweb/bases/dwn50002.vdb - Ok, virus records: 2715
Loading /var/drweb/bases/dwn50001.vdb - Ok, virus records: 2545
Loading /var/drweb/bases/dwn50000.vdb - Ok, virus records: 2801
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 6197
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 28348
Total virus records: 1642158
Key file: /opt/drweb/drweb32.key
License key number: XXXX
License key activates: 2010-09-20
License key expires: 2010-10-20
/home/alex/Downloads/abftw.bin - Ok
/home/alex/Downloads/abftw.c - Ok
Scan report for: /home/alex/Downloads/abftw.bin /home/alex/Downloads/abftw.c
Scanned: 2 Cured: 0
Infected: 0 Deleted: 0
Modifications: 0 Renamed: 0
Suspicious: 0 Moved: 0
Adware: 0 Ignored: 0
Dialer: 0
Joke: 0 Scan time: 0:00:00
Riskware: 0 Scan speed: 45 Kb/s
Hacktool: 0 Scan speed: 45 Kb/s