Question about Mamutu

Hungry Man · #1 November 28th, 2011, 01:51 PM

Quote:

Backdoor related behavior
Spyware related behavior
HiJacker related behavior
Worm related behavior
Dialer related behavior
Keylogger related behavior
Trojan Downloader related behavior
Injection of code into other programs
Manipulation of programs (patching)
Invisible installations of software
Invisible Rootkit processes
Installation of services and drivers
Creation of Autostart entries
Manipulation of the Hosts file
Changes of the browser settings
Installation of debuggers on the system
Simulated mouse and keyboard activity
Direct disk sector access on harddisk
Changes of the system group policies [NEW!]

What exactly is being monitored specifically?

For something like creation of autostart entries that's really "Adding an entry to the registry" or to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\

And for manipulation of the hosts file it would be "Writing to the hosts file in \etc\hosts" or something.

I am just wondering what API calls are being intercepted when that's the case or what else is being monitored specifically.

ex: I don't know what "Spyware behavior" entails - I'd like an indepth explanation.

in short, what specific actions compose each of these behaviors?

Hungry Man · #2 November 30th, 2011, 11:20 AM

No one's got a link?

Baserk · #3 November 30th, 2011, 06:24 PM

Nope. At least, I don't.
Their knowledge base articles are pretty much 'starter level' info pages.
I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.

Noob · #4 November 30th, 2011, 07:06 PM

Quote:

Originally Posted by Baserk

Nope. At least, I don't.
Their knowledge base articles are pretty much 'starter level' info pages.
I've never found any more specific info than what's posted above (their forum doesn't provide more in-depth info either).
I'd contact dev Fabian Wosar (fw at emsisoft.com) for deeper info on Mamutu, not sure what they are willing to provide though.

I don't really think they would provide the rule sets or heuristics they use, that could compromise the product i guess and as a business that is bad

Hungry Man · #5 November 30th, 2011, 09:47 PM

Something like Mamutu could easily be reverse engineered in terms of behavioral blocking attributed to kernel calls - whitehats/ security companies do this all of the time to malware or AVs even. Heuristics rules can often be reverse engineered as well (just test different things that might break rules) though scoring based on those rules is much more complex.

You can't tell the entire program but if you know "This call infects the computer" and "This program stops infections" it's easy to say "It's probably that call."

I'll try contacting a dev, thanks. IDK why they won't even give a simple explanation - I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.

BoerenkoolMetWorst · #6 December 1st, 2011, 03:16 AM

Yeah, I tried finding some more detailed info on them as well, but couldn't find it. I do know that behaviors from that list are more a combination of action/behaviors, for example, for the Keylogger behavior warning to appear, an executable needs not only to log keystrokes, but also connect to the internet.

HKEY1952 · #7 December 1st, 2011, 11:33 AM

Quote:

Originally Posted by Hungry Man

I don't necessarily need something as low as the API but it would be nice to know what "spyware behavior" actually entails.

Briefly, "spyware behavior" entails the behavior of an component, not the specific sequence of bytes in that
components binary representation.

An example of "spyware behavior" would be an component, and/or unknown component, monitoring user behavior and/or
interacting with another component, such as an Web Browser, monitoring that components behavior and/or the users
interactions with that component, then/or petitioning calls to the Windows Application Programming Interface (API) that
can potentially leak information about that behavior, such as petitioning calls to save the data to an file and/or
transmit that information to an Remote Host.

EDIT: clarity

HKEY1952

Hungry Man · #8 December 1st, 2011, 02:16 PM

I see. Thank you.

There are quite a few of them that are fairly vague but I suppose I can just do some research.

HKEY1952 · #9 December 1st, 2011, 02:21 PM

Quote:

Originally Posted by Hungry Man

I see. Thank you.

There are quite a few of them that are fairly vague but I suppose I can just do some research.

You are welcome Hungry Man

HKEY1952

MrBrian · #10 December 3rd, 2011, 01:26 PM

There are academic papers out there regarding listing high level malware behaviors, but unfortunately for those papers I've looked at there is apparently no publicly available program or code.

Hungry Man · #11 December 3rd, 2011, 02:36 PM

I'd like to see them if you have them. The code is less important - if I can see what the behaviors are specifically I can figure out the code.

MrBrian · #12 December 3rd, 2011, 03:41 PM

Quote:

Originally Posted by Hungry Man

I'd like to see them if you have them. The code is less important - if I can see what the behaviors are specifically I can figure out the code.

There is definitely one free paper available on this but I don't remember its name; I don't recall if it is specific enough to be useful to you. Maybe check the references in paper "Behavior abstraction in Malware analysis" or do this Google search "high level" malware behavior filetype:pdf or maybe malware behavior filetype:pdf.

Hungry Man · #13 December 3rd, 2011, 03:49 PM

Will do thanks.

MrBrian · #14 December 3rd, 2011, 03:51 PM

Quote:

Originally Posted by Hungry Man

Will do thanks.

You're welcome

.

There is also one free paper (at least) that lists the behaviors found most commonly in malware.

Hungry Man · #15 December 3rd, 2011, 03:53 PM

http://www.usenix.org/event/leet09/t...ayer/bayer.pdf

Reading this at the moment.

I'm interested in anything even slightly relevant =p I had no idea I could search by file type eitehr lol

MrBrian · #16 December 3rd, 2011, 04:02 PM

Quote:

Originally Posted by Hungry Man

Reading this at the moment.

There's at least one more, because that isn't the one that I remembered.

MrBrian · #17 December 3rd, 2011, 05:30 PM

Quote:

Originally Posted by MrBrian

There's at least one more, because that isn't the one that I remembered.

It's "Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light-Weight Intrusion Detection and Tracing."

Hungry Man · #18 December 3rd, 2011, 05:34 PM

Oh yes that. I've read that.

Hungry Man · #19 December 6th, 2011, 07:20 PM

Anyone have a whitepaper on mamutu maybe?

I'm also interested in any tests witih Mamutu vs Malware. Videos, papers, whatever.

Noob · #20 December 9th, 2011, 01:02 PM

For videos i guess some amateur Youtube videos would work

Hungry Man · #21 December 9th, 2011, 02:12 PM

I'll take them =p

justenough · #22 December 9th, 2011, 02:45 PM

I've used Mamutu for almost 2 years because it was recommended here and because of the reputation of the company behind it, Emsisoft. I've looked for more information about the program and for testing, without much luck. If you find anything Hungry Man I'd be interested in reading about it.

Hungry Man · #23 December 9th, 2011, 03:07 PM

I'll send you a PM if I find anything of interest.

I used Mamutu as well and liked it. I'm curious as to how effective a pure behavior blocker can be.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search