Hijacking of process not recognized?

Discussion in 'NOD32 version 2 Forum' started by softtouch, Aug 24, 2006.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I just wrote a small test program, which does nothing than hijack notepad and write my own code into notepad's process memory and execute it there.
    If AMON is enabled during compilation, it block it, but once the executable is on the harddisk, AMON does not block it any longer and I can execute it.

    http://www.tindahan.biz/myitems/np.jpg

    Virustotal shows:

    http://www.tindahan.biz/myitems/vt.jpg

    I think, it should be detected by AMON, if I try to execute it, and not only if I try to create it. I can even copy and paste it, it will not be recognized.

    And before anybody will tell me to submit it to eset, I DID, weeks ago.
     
  2. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    Your sample is detected only by Advanced Heuristics and AMON uses AH only on new and changed files. It should be enough because by default AMON automatically moves these files to quarantine so there is no chance you can execute them (and bypass the AH detection).
     
  3. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Its not the case. Only during compilation, it is blocked. But once the exe is on the harddisk, it is not recognized. Also, if I zip the exe and unzip it to any location, its not recognized. Only if I create it during compilation OR right click it and check it with nod manually.

    Btw, I am NOT writing any virus or malware, I just wrote a small test program to see how my antivirus scanner and other software reacts on it.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It must be detected during the unzip process as it's a normal file creation when AMON uses AH for scanning.
     
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Maybe it is disabled?

    softtouch,
    Is your AMON set like this and this ?
    and also is detection configured as pictured below, and to scan all files extensions or something else?

    Cheers :)
     

    Attached Files:

    Last edited: Aug 25, 2006
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's a worng screenshot, see additional options on create found on the Options tab.
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    yes, additional options on create and actions tabs are shown in the two linked posts.
    Screenshot I posted was just for completeness whilst looking at tabs...
    I'll stay quiet now :ninja:

    Cheers :)
     
  8. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Ok, I have modified the nod32 settings and it is recognized if I unzip it too, but I still can execute it without problem, once it is on the harddisk. AMON does not recognize it during execution. Is there ANY setting I may have missed in nod32 to prevent executing such code?
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As it's been said, AMON uses AH on create only. Otherwise your computer performance would become so slow that it would be virtually unuseable. AMON moves files detected by AH on create to quarantine to prevent their execution.
     
  10. CyberMew

    CyberMew Registered Member

    Joined:
    Apr 17, 2005
    Posts:
    128
    So if my external harddisk contains the file, and I plug into my desktop and ran it, NOD32 (IMON or AMON) will not notify me at all?
     
  11. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    This is at least what it does with my test program. I tried this by copying it to a memory stick, plug this into another computer and started it without that nod32 complained.

    I do not understand why the option "Scan on Execute" is there if it is not scanned on execute...?
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Files are scanned on create and execute. However, AH is used only on create, otherwise your computer would become unuseable. Since everything has been explained, this thread is now closed.
     
Thread Status:
Not open for further replies.