evil AV (on development)

[gh0st]

Evil AV     

Evil AV is an antivirus coded on java and its in developing by evilzoners itself this is a very basic software and its features will be added in a future but the basic search engine is being developed any evilzone`s member can add pieces of source codes that will be complement of the modules.

 current source code:

http://pastebin.com/nGnTffbd
 

Code: [Select]

import java.awt.BorderLayout;


public class av extends JFrame {

private JPanel contentPane;
private JButton btnNewButton;

/**
* Launch the application.
*/
public static void main(String[] args) {
EventQueue.invokeLater(new Runnable() {
public void run() {
try {
av frame = new av();
frame.setVisible(true);
} catch (Exception e) {
e.printStackTrace();
}
}
});
}

/**
* Create the frame.
*/
public av() {
setTitle("Evil AV");
setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
setBounds(100, 100, 450, 300);
contentPane = new JPanel();
contentPane.setForeground(Color.WHITE);
contentPane.setBorder(new EmptyBorder(5, 5, 5, 5));
setContentPane(contentPane);

btnNewButton = new JButton("Full scan");

JButton button = new JButton("Scan file");
button.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent arg0) {
}
});
GroupLayout gl_contentPane = new GroupLayout(contentPane);
gl_contentPane.setHorizontalGroup(
gl_contentPane.createParallelGroup(Alignment.LEADING)
.addGroup(Alignment.TRAILING, gl_contentPane.createSequentialGroup()
.addContainerGap(257, Short.MAX_VALUE)
.addGroup(gl_contentPane.createParallelGroup(Alignment.LEADING)
.addComponent(button, GroupLayout.PREFERRED_SIZE, 141, GroupLayout.PREFERRED_SIZE)
.addComponent(btnNewButton, GroupLayout.PREFERRED_SIZE, 141, GroupLayout.PREFERRED_SIZE))
.addGap(26))
);
gl_contentPane.setVerticalGroup(
gl_contentPane.createParallelGroup(Alignment.LEADING)
.addGroup(gl_contentPane.createSequentialGroup()
.addGap(33)
.addComponent(btnNewButton, GroupLayout.PREFERRED_SIZE, 40, GroupLayout.PREFERRED_SIZE)
.addGap(18)
.addComponent(button, GroupLayout.PREFERRED_SIZE, 40, GroupLayout.PREFERRED_SIZE)
.addContainerGap(121, Short.MAX_VALUE))
);
contentPane.setLayout(gl_contentPane);
}
}

Antivirus papers:
 
http://www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm
http://en.wikipedia.org/wiki/Antivirus_software#Signature-based_detection
http://en.wikipedia.org/wiki/Oligomorphic_code
http://en.wikipedia.org/wiki/Polymorphic_code
http://en.wikipedia.org/wiki/Metamorphic_code
 
 
things to be done:
-full scan module
-scan file module
-upgrading module
 
process [!                                ] 1%

[gh0st]

I got it the word we have to look for is "data flow" in java

[Kulverstukas]

Not bad. Well, at least something is moving, though not much, but still... Maybe you should check out KAV source codes to get an idea how stuff works?

This is probably the original source of where it first became public, but I'm not sure: http://forum.vxheavens.com/viewtopic.php?id=692

/stickied

[Mellow]

Haha nice. Didn't think it have progress anytime soon.

[ande]

Like already stated in/by previous posts and or comments. The hard part is NOT making a simple AV, the work is keeping it up to date with the latest threats. That is, a static signature scanner'ish type. If you want a good AV, you need something that can make sense out of machine code, and look for common malware movement and alike. However, this will create a lot of unwanted detections to.

Bottom line is, for tech people, AV's is not going to be a good option until they are AI's. I dont use a AV, I find it aweful, I never use it. I never get infected, if I do I remove it myself. Easier, less performence killing and no friggin popups. Brains and malware understanding is all you need.

[Stackprotector]

ande, let them be,   it would be a good learning job if he succeed to recognise any kind of patterns in  nubish fully detected malware:)

[gh0st]

Im trying to get the path of a computer to start with the scanning but when I try:

Code: [Select]

btnNewButton = new JButton("Full scan");
btnNewButton.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
FileInputStream allHDscan;
allHDscan = new FileInputStream("here");
}
});

I dont know what to put between "here" it doesnt look well I think that I would need a method called getpath() but examples on the web are fews besides I started java a week ago    so any suggestions?

[xzid]

Im trying to get the path of a computer to start with the scanning but when I try:

Code: [Select]

btnNewButton = new JButton("Full scan");
btnNewButton.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
FileInputStream allHDscan;
allHDscan = new FileInputStream("here");
}
});

I dont know what to put between "here" it doesnt look well I think that I would need a method called getpath() but examples on the web are fews besides I started java a week ago    so any suggestions?

path.. as in the environment variable?

Code: [Select]

class EnvPath { public static void main(String[] args) {
  System.out.println( System.getenv("PATH") );
  }}



besides I started java a week ago

so any suggestions?

Delay this project. Finish your java tutorial before attempting to write a real application, work on small test programs. From your link apparently all you have done is GUI... outlook not so good. Learn alot about the Java API, learn about NT/PE/MASM/windbg/etc, write your own malware before attempting this.

[xor]

What I would recommend is that you enumerate the root file systems (as shown below) and populate a window where they can choose which ones to scan.

Code: (java) [Select]

import java.io.*;

public class test
{
    public static void main(String[] args)
    {
        File[] roots = File.listRoots();

        for(int i=0;i<roots.length;i++)
            System.out.println(roots[i]);
     }
}

This works on windows as well as linux. In linux you will get a list of the partitions made on the disk and their mount points, in windows you will get a list of drives. Example output from my windows 7 machine and a linux VPS.

C:\Users\nohusuro\Desktop>javac -d . *.java && java test
C:\
D:\
E:\
F:\
G:\
X:\
Z:\

sh-3.2$ javac -d . *.java && java test
/

[xor]

You could also use javax.swing.filechooser.FileSystemView which is more advanced version that can you get more information such as drive name. And if you wanted to get really advanced you could implement JNI and mix Java with any other language (preferably C). See example below.

http://java.sun.com/developer/onlineTraining/Programming/JDCBook/jniexamp.html#examp

[Kulverstukas]

Maybe you've seen these, maybe not, but I think this is somewhat good material that could help:

http://vx.org.ua/lib/?index=AR&lang=en
http://vx.org.ua/lib/?index=IM&lang=en
http://vx.org.ua/lib/?index=CO&lang=en
http://vx.org.ua/lib/?index=AV&lang=en
http://vx.org.ua/lib/?index=AT&lang=en

http://sourceforge.net/projects/clamwin/
http://sourceforge.net/projects/clamav/

[Huntondoom]

just a little add:
look for things stored in Ram memory maybe some malicious stuff is temporary stored there

[gh0st]

You could also use javax.swing.filechooser.FileSystemView which is more advanced version that can you get more information such as drive name. And if you wanted to get really advanced you could implement JNI and mix Java with any other language (preferably C). See example below.

http://java.sun.com/developer/onlineTraining/Programming/JDCBook/jniexamp.html#examp

nice post dude very useful look I want to make button "full scan" to start scanning the hard drive but I can easly set a name of the path but what happens if the path is alike as the one that I set for example in linux the path is "root" and in windows the path is "C or D" however they are named I will have to read the user`s path name? or I need to use a thing named getdefault directory? for example:

Code: [Select]


 public File getHomeDirectory() {
 369:    return createFileObject(System.getProperty("user.home"));
 370:    }
 371:
 372:    /**
 373:     * Return the user's default starting directory for the file chooser.
 374:     *
 375:     * @return a <code>File</code> object representing the default
 376:     *         starting folder
 377:     */
 378:...       public File getDefaultDirectory() {
 379:    File f = (File)ShellFolder.get("fileChooserDefaultFolder");
 380:...       if (isFileSystemRoot(f)) {
 381:        f = createFileSystemRoot(f);
 382:    }


this one looks smart I think that Im going to implement that one 

[gh0st]

Like already stated in/by previous posts and or comments. The hard part is NOT making a simple AV, the work is keeping it up to date with the latest threats. That is, a static signature scanner'ish type. If you want a good AV, you need something that can make sense out of machine code, and look for common malware movement and alike. However, this will create a lot of unwanted detections to.

Bottom line is, for tech people, AV's is not going to be a good option until they are AI's. I dont use a AV, I find it aweful, I never use it. I never get infected, if I do I remove it myself. Easier, less performence killing and no friggin popups. Brains and malware understanding is all you need.

can we get a database from a known AV? I think that its possible lets do a bit of research in that field

[xzid]

nice post dude very useful look I want to make button "full scan" to start scanning the hard drive but I can easly set a name of the path but what happens if the path is alike as the one that I set for example in linux the path is "root" and in windows the path is "C or D" however they are named I will have to read the user`s path name? or I need to use a thing named getdefault directory? for example:

Code: [Select]


...

this one looks smart I think that Im going to implement that one 

No matter what, you will have implement different engine for linux/windows. Java may be cross-compatible, but binary files are not. Filesystem architecture is not. There are also many, many more differences between the two.

Use [System.getProperty("os.name")] to identify system. Use [System.getenv()] to find folders, for windows these environment variables should be targeted:

Code: [Select]

System.getenv("ProgramFiles")   // Program files directory(C:\Program Files)
System.getenv("SystemRoot")    // Windows System Root(C:\Windows)
System.getenv("UserProfile")      // HOME Directory
System.getenv("SystemDrive")   // Windows Drive(C:) - don't re-scan drives already scanned

Each should have own GUI option, perhaps in groups. Like a "user scan" option, HOME & Program Files. A system scan, C:\Windows & perhaps registry. Option of scanning any full drive(use example xor provided, [File.listRoots()]). Any more options you can think of.

In linux, no need for such things. Linux mounts drives using /etc/fstab, so no matter what... your root drive is "/". chroot will change this(will be "/" nontheless).

Code: [Select]

"/lib"
"/sbin"
"/usr/bin"
"/usr/local/bin"
"/bin"
System.getenv("HOME")        // if rooted, then use "/home" instead
"/"                                          // don't re-scan drives already scanned


In linux you will get a list of the partitions made on the disk and their mount points

If this is correct(untested, have no linux except android at the moment), then my box would show a partition for /, /boot, /home(gentoo). Would also have a swap partition. Would also have many usb drives(which would be worth option searching). This may cause problems, unless by partitions xor means actual "root drives", like your linux filesystem + any extra external/internal drive mounted in /mnt.