Is injecting code into notepad's process memory not malware behavior?

Discussion in 'malware problems & news' started by softtouch, Apr 26, 2009.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Just curious, when a program open notepad.exe, suspend the process from running, and inject executable code into the process memory of notepad, and run the code, is this not malware behavior and should trigger alarm?
    I just did such a test, and nothing seems to prevent it. I have Nod32 V4, PrevX Edge 3.0 and Defenswall installed, but the program will run.
    Do I miss here something?
     
  2. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA

    Can you give an example of what was trying to inject code into the process memory of notepad. Thus if you open a text.txt then notepad would need to inject the code into the process memory to run notepad. Firewall plus 3.0.1.14 has code injection so this would appear every time you make a request to run app which is normal but you need to make sure it's something you want to launch. Didn't PrevX catch the file with a popup?
     
  3. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Nothing popup here.
    It was a test program which I wrote to see if PrevX / Nod etc. prevent it to run.
    What it does is to run notepad as a suspended process, so it wont open any window etc..
    It then inject code into the process memory of the suspended notepad and resume the process, which will then run my code.
    In task manager is of course just notepad.exe running, nothing else.
    This is in my opinion a kind of malware behavior and should have been detected...
    If you want, I can PM you a link to the testfile. I wrote it in Delphi, so VT tells me 5/42, but that normal if you use Delphi...
     
  4. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    did you try it with threatfire ?
    it gave me a warning about code injection/ process injection , at one time
     
  5. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    See you can write you own test scripts and find out that none of these AV/MW/SP/HP can stop it. I use another method and the files always come up as hidden Trojan, but it's not. I found out that my internal drives on the test box had the Recycle Virus that denied access to D, E, F HDD when you try to access the HD through My Computer. You could access the HD through Explorer though. Thus the hidden cloak-malware virus is still present on these drives. Even if you blow out the C MBR re-store HD and thus have internal HDs in the box this virus is still present to attack your system again.

    AVG Free found the Recycle Virus it kept on reporting it, but it can removed or heal it or send it to the vault. But if it did that you still couldn't access those drives. As Windows will report it can't find Recycle xxxxxxxxxxxx.com
    Also know as autorun.inf aliases.

    See Avira Free and Premium didn't even catch this stuff. Spyware Doctor/AV neither shame though. I've fix the problem without needing to wipe out those drives or re-format them.

    AVG Free seems slow, I need to test that again also Rising Sun AV Free being tested on another box that has only 256MB of RAM Since it lite of RAM requires I wanted to see how it does. ThreatFire is on that box though. Firewall Plus 5.0.0.38 is active (really don't like that version 3.0.1.14 is better.

    Can you run your test again with ThreatFire and configure ThreatFire like this:

    Level 5
    Custom all
    Processes Add all the apps you use on your system to the trusted.
    See if it can detect your test program script or app.
     
  6. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I will checkout TF today.
     
  7. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    It is absolutely way too generic to be defined as malware behavior, and if the software you have written does not break anyone of the heuristic flags, then anyone will detect it just because it is injected into notepad process. Lots of process can use injection for good stuff, then we should detect every software that tries to inject itself into another process.

    Only plain HIPS softwares will detect the action, but they alert you about *every* action the software does.
     
  8. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    So it should be just fine to do that?
    I ask, because I use for the software I develop a small additional executable, which I load and inject other executables, which are bundled with my main program, into its process memory and run them this way. The reason is, we do not want that they get saved to disk, and this was the for me currently only way to run an exe from memory without extracting to disk.
     
  9. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Hi softtouch,

    Injection is a method used by malware, but your use for your own purpose which affects only you does not have the intent of malware - i.e. to do something nefarious to some other user in a stealthy manner without detection, e.g. steal someone else's identity, financial information, etcetera.

    -- Tom
     
  10. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    What's are your findings so far.. I know everyone here has there own expertise. Malware threat is dangerous. TF, PrevX, RAV MBI, Norton Bot and the others are really needed. Just can't have the plain AV to protect the system, unless it has Behavioral features in it. Most are doing that now.

    Everything should be prompted, although it can be annoying but if you get infected badly then your rig is out until you repair the damage.
     
  11. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    TF did not flag it. I set the level to 5, and it was quiet about it.
    I think its because I do not intent to do anything "bad" to the system.
    But I would have expected that at least one program tells me that something has hijacked notepad.exe and injected code into its process memory...
     
  12. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I was using a program which modified a PC Game ( Oblivion ) I had installed.

    TF popped up with

    "Thread injected into another Program" , and then gave the name of the mod program and the location of the main Oblivion.exe File.

    It does apply logic to stuff though , to reduce pop-ups to a minimum.
    Its possible if you created a program on your own PC , it will have recognised the file you created as Ok to do whatever.

    I don't even know if TF would give you that level of detail of how their program works , although its no harm to ask ( they have a forum if you google it.)

    There is a poster here Kess1958 , who is a bit of a whiz at most programs inc TF so you could also ask him.
     
  13. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Are you taking about the MBR rootkit that was out again recently ?

    This is an extreme hard to detect case , but a scanner which checks the MBR can still pick up and remove this. , prevx does and a few others.

    Little bit OT though
     
  14. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Hmm? I've pulled TF from my line up of protection. Server hanged because of TF, so that can't happen again. Rising Sun folks have "Malicious Behavior Interceptor" works like TF but only gives you a countdown in secs to answer the prompt questions. Still not bad found some stuff I didn't know had threats on the other folders on other HDDs.
     
  15. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Well yes and no but those programs you mentioned like PrevX crashes too much to be effective. I want something that can remove the threat out of the software so you can use it. Which has happen twice today. Still nothing is perfect but you can hope for the best.. It's real shame how pest have embeded more crap to attack us into MSI, EXE, COM, DLL, INF..
     
  16. Cloud_Shadow

    Cloud_Shadow Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    46
    Well Comodo D+ i think prevents a shellcode injection, to processes. Once a file tried to inject a shellcode , and D+ blocked it.

    Try it. And see if it works
     
Loading...
Thread Status:
Not open for further replies.