Virus in a program installer, possible?

Discussion in 'other security issues & news' started by Matt_Smi, Mar 4, 2005.

Thread Status:
Not open for further replies.
  1. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    I was wondering if it was possible for someone to pack malware into a seemly legit program installer. I know that many programs bundle spyware with them and unless you read the agreement carefully and watch what components you install then you can get caught. What I am talking about is when you install the program the installer has been modified in such a way that it also installs some malware along with it.
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    with reverse engineering this could be done, like you dissassemble let say adaware and you change the code so it will log all keys you type in and send it to a server when it would "update their signature database" :D

    I don't think this is easy done could be intercepted when you verify the programs/downloads with an hasher like md5 so you definately know it is that file you need before installing it.

    Inf.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Seemingly legit ? happens every day. One of THE most common ones ? a common keylog installer packed with just a self extractor. Change icon, looks fine and are spammed as aimbots, cheats, hacks, you name it. I'm sure they do a lot of damage. Installer programs are common, open source and can be modified. Once it gets heavy the AV's get onto them, but there are other tricks they dont get

    If you have PG you see all executions, its nice to have rundll32.exe, cmd.exe, and lately especially regsvr32.exe all monitored ! Loads of adware just drop one DLL and regsvr32 /s dll.dll. Even the free version lets you see these run, and see every file in a package that gets dropped.

    Believe it or not, just watching your drive for new files and watching what executes like this, you can see everything that happens with most trojan droppers. Why not open a couple of explorer windows before running any installer. Put one in Program Files, and the other in the System32 folder. Explorer will show new files appearing at the end of the list as they show up. If you're hit with an adware dropping malware you will see it and even know where all the files are. There are loads of these adware droppers around, usually on sites offering "free" screensavers.
     
Loading...
Thread Status:
Not open for further replies.