24
C:\Program Files\ClamWin\bin>type BlackLight.hdb
a60ac654afc5cdcbd16ee680b60556cb:605280:(null)
Then we test it:
C:\Program Files\ClamWin\bin>clamscan.exe -d BlackLight.hdb blbeta.exe
blbeta.exe: (null) FOUND
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.86.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.57 MB
Time: 0.055 sec (0 m 0 s)
The malware now protected from the BlackLight anti-rootkit tool. The malware
becomes a “dog” that will guard an infected system from “unwanted invasions”.
Did you already started to imagine “a not so nice” future for us?
So what is wrong? How is it possible? What we can do?
There are no easy answers, but… the problem is that our security tools just static
binary files (we even publish the MD5 signatures for security reasons), thus our
security tools may be “shooted as a rabbit from the close distance”.
To protect our tools we need to evade the Antivirus detection! Therefore, our
security tools need to be a polymorphic or even metamorphic. What a small
world! Does it mean that we are going to use the malware writer’s techniques to
protect our software?
2.7.2 The Black Honeypot
The honeypot is a very exciting and powerful technology. If you didn’t heard
about this, I recommend you to visit The Honeynet Project web site [12] and
another honeypot related web site [13].
Let me skip the introduction and explanations of honeypot and jump to the
possible problem:
 |
 |
 |