MEM2 Dump - weird error

Started by Arudo, October 04, 2010, 04:58:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Arudo

October 04, 2010, 04:58:59 AM
I'm a bit amused and annoyed with my Anti-virus software this time.

I was doing a Mem2 Scan with the 90 addresses via USBGecko and Wiird, and my antivirus program pops up saying that Block 46/52 is associated with the MyDoom email virus.

Has anybody else experienced this before?
-Crazy Hacker Hates You All (definitely)-

ノಠ益ಠ)ノ彡â"»â"â"»

Do NOT PM me about Code Requests

Pro-tip: Hit the Applaud Button

Oh? Failed to read the rules? You're already dead.

Link

#1
October 04, 2010, 08:00:24 PM
Quote from: Arudo on October 04, 2010, 04:58:59 AM
I'm a bit amused and annoyed with my Anti-virus software this time.

I was doing a Mem2 Scan with the 90 addresses via USBGecko and Wiird, and my antivirus program pops up saying that Block 46/52 is associated with the MyDoom email virus.

Has anybody else experienced this before?

While this is hardly believable it is possible that memory dumps can contain code which seems suspicious for anti virus applications. This should not happen but it is technically possible!

dcx2

#2
October 04, 2010, 08:06:39 PM
I'm reminded of a quote.

"an infinite number of monkeys smashing away at keyboards randomly forever will eventually produce the complete works of Shakespeare."

It's entirely possible that the heuristics that the anti-virus scanner uses to detect a virus got fooled by the random order of bits in the memory dump.

Arudo

#3
October 05, 2010, 02:49:33 AM
Must be the case, it stopped doing that after I started scanning again.
-Crazy Hacker Hates You All (definitely)-

ノಠ益ಠ)ノ彡â"»â"â"»

Do NOT PM me about Code Requests

Pro-tip: Hit the Applaud Button

Oh? Failed to read the rules? You're already dead.

Dude

#4
October 05, 2010, 12:06:27 PM
The only thing I can think is that the memory values in a set sequence had similarities to data sequences in the virus.
It's NOT the virus itself, just that the variables in that memory area at the time of the dump just happened to coincide with similar patterns found in the viral signature that your AV uses...

This would be like a 1 in a billion billion chance to happen, and since it didn't trigger the alert the next time you dumped the ram, this would mean that the sequence of data from that region had changed in the game, as would be expected.

Kinda like trying to guess the winning lottery numbers! lol

Bully@Wiiplaza

#5
October 05, 2010, 02:00:48 PM
better you win in lotto instead of this :P
My Wii hacking site...
http://bullywiihacks.com/

My youtube account with a lot of hacking videos...
http://www.youtube.com/user/BullyWiiPlaza

~Bully

WiiPower

#6
October 08, 2010, 04:00:58 PM
Hmm, now if i was a games developer, i would know what to do with free memory...

dcx2

#7
October 08, 2010, 04:14:20 PM
Getting the payload to the victim is the easy part.  Getting the payload executed is more difficult...

Romaap

#8
October 08, 2010, 06:34:04 PM
If they could just place some binary dumps of common viruses in the free space they could make any virus scanner go nuts if we do some searches.

WiiPower

#9
October 08, 2010, 09:22:14 PM
That's what i thought. Getting the virus to be actually executed would require them to find an exploit in Wiird. But if a virus would show up on the virus scanner everytime you scan the memory of a game, that would be a nice way to say 'hello' for the game devs. I would do that just for the fun of it.
Print
Go Up Pages1
User actions