24. Mai 2007

Tipps für Virenprogrammierer

Category: Hacking — Christian @ 18:02

Mark Russinovich, der früher mal Sysinternals gemacht hat und heute so ein Microsoft Droide ist, hat was Interessantes zum Tarnen von Programmen geschrieben:

    This example highlights a few practices that software vendors should follow for reliability and to prevent the confusion I faced. First is the use of environment variables and Shell special paths instead of hard-coded strings. IECheck (which I presume stands for Icon Editor Check) references the Program Files directory by name, which is only valid on English installations of Windows, so if installed on a foreign system, IECheck would fail to find the executables it looks for. Instead, it should locate the Program Files directory by using the %PROGRAMFILES% environment variable, or call ShGetFolderPath with CSILD_PROGRAM_FILES for the folder parameter.

    To avoid scaring security-conscious users, all executables should have a version resource with a company name and a description that clearly identifies the executable’s purpose. Further, vendors should obtain a code signing certificate to digitally sign their code. Windows relies more and more on signature information to help users make trust decisions, and users can leverage tools like Process Explorer, Autoruns, and Sigcheck to verify that executables are what they advertise instead of malware. I’ve contacted the author of IconEdit2 and he’ll be updating his application to follow this guidance. All vendors need to do their part to avoid this kind of needless scare.

Gut, das mit dem Code Signing ist jetzt ein wenig schwierig. Aber alles andere sollte man von einem guten Virenautor doch erwarten. Gebt den Schadprogrammen schlüssig klingende Namen. Packt einen ordentlich gefälschten Versionsstring und einen namhaften Hersteller mit rein, damit das nach was aussieht. Und spart Euch den Unsinn mit den Rootkits, das ist viel zu auffällig.

1 Kommentar

  1. Kommentare gesperrt wegen Spam

    Comment by Christian — 7. Juni 2012 @ 07:01

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.