• Welcome to Valhalla Legends Archive.
 

Hostile Scripting?

Started by eXShadow, May 02, 2004, 08:42 AM

Previous topic - Next topic

eXShadow

I just sent my bot to a friend for testing and he sent me a screenshot of mcfee saying it has hostile scripting or something. Now i know what its picking up, its picking up my anti-tamper function but how do i make this not a "hostile script".

My anti-tamper function simply reads the registry for an existing key, if the key isnt found it allows access to the bot. If the key is found with a value of 1 it disallows access to the bot. When i removed this feature for testing, mcfee had no proberly. Is there anyway to make it not a "hostile script".

Thanks

hismajesty

QuoteIs there anyway to make it not a "hostile script".

Yes!

eXShadow

haha you people here have a great sense of humour  :)

could you care to help me out? maybe an example or howd i go about this, any examples i can download or anything?

Adron

Post the exact information from McAfee. Perhaps McAfee will say that about anything accessing the registry? Perhaps it's just saying that this script accesses the registry, and that some hostile scripts do that?

Stealth

Was it McAfee that labeled anything with the FileSystemObject in it "hostile" ?
- Stealth
Author of StealthBot

eXShadow

i dont know the exact message, as it was my friend that recieved the alert and i dont have mcafee. The only thing im using that MODIFYS the registry is;

CreateKey "HKEY_CURRENT_USER\Software\..........................", "1"



iago

Tell him to delete McAfee and get a real scanner :/
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


effect

Quote from: iago on May 02, 2004, 11:03 PM
Tell him to delete McAfee and get a real scanner :/

Mcafee Security Center is great , Scanner/Firewall/Anti-Spam/Privacy , i only use the scanner and firewall and both up until now have worked flawlessly.
Quote from: Mangix on March 22, 2005, 03:03 AM
i am an expert Stealthbot VBScript. Recognize Bitch.

eXShadow

so there is no way to fix it from the coding? He just needs to allow it or whatever? Hmmm this wouldnt look to good when i release it to the public  :'(

effect

#9
Maybe an expressed warning on your software describing exactly what it does and WHY?

I dont think you will find a work-around for this (As long as you continue to edit the registry at run-time) Mcaffe , Norton or any decent scanner for that matter  will/should pick up changes done to the registry at run-time.
Quote from: Mangix on March 22, 2005, 03:03 AM
i am an expert Stealthbot VBScript. Recognize Bitch.

iago

But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


MyndFyre

I think it's the fact that the program is using the Windows Scripting Host.  McAfee and Norton tend to frown on the accessing of the registry or the file system through the WSH because there is easy potential for exploitation there.

Although, I would tend to think this could go to the general programming forum, not just here.  ;)
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

iago

Why can't he just use the standard API for reading/writing the registry?  Or even the special VB commands, which I forget, SaveSetting and LoadSetting or something.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


effect

Quote from: iago on May 03, 2004, 07:09 AM
But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?
Quote from: Mangix on March 22, 2005, 03:03 AM
i am an expert Stealthbot VBScript. Recognize Bitch.

MyndFyre

Quote from: effect on May 03, 2004, 06:26 PM
Quote from: iago on May 03, 2004, 07:09 AM
But lots of programs access the registry fine, though.  Where exactly are you making the change?  In your own key, or in a system key?

After i posted that comment i stopped and thought that aswell , how do scanners define "valid" registry entries and "malicious" registry entries , does it work by comparing if the value of the key that is trying to get inserted is malicious in some way?

No, IIRC, any Script object that attempts to access a Registry object through WSH is flagges as potentially malicious.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.