U
U
Uncle Seryozha2022-03-22 16:18:56
Malware
Uncle Seryozha, 2022-03-22 16:18:56

How to search for malware in open source?

I want to study the issue from the practical side, try to write a program to analyze the source code. I would like to understand at least what to look for.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
F
FanatPHP, 2022-03-22
@FanatPHP

A very funny question. I can do this too:
How to become a surgeon? I want to study the issue from the practical side, try to cut off something for the patient. I would like to understand at least what to look for.

H
hint000, 2022-03-22
@hint000

Well, start studying [surgery] at least with this:
https://ru.wikipedia.org/wiki/Static_code_analysis
https://ru.wikipedia.org/wiki/Dynamic_code_analysis
From here to the search for malware, it’s like walking to the moon, but, as the Chinese proverb says,

even a journey of a thousand miles begins with the first step

Create an IT company with a hundred middles and a dozen seniors, and in a few years they will write you your "source code analysis program".

R
rPman, 2022-03-22
@rPman

automatically - no way, there are no such algorithms.
Large companies like Kaspersky make heuristic algorithms based on typical malicious algorithms , but they are not omnipotent and often give false positive results.
If we talk about what Ukrainian colleagues are now doing with open source, introducing into popular packages, everywhere they can reach, from harmless messages that there is a war going on and they are being killed, to wrecking and deleting all files from the machine, then
you can try to analyze the patches (changes that were made after a certain date, before the malicious code could be added, for typical functions (deleting files, connecting to the network, keywords in strings, etc.) and build some report, that this patch .. adds a network connection, a call to the eval method, the lines contain keywords, etc. and already during manual analysis this can make it easier to decide where to start working and what to pay attention to
A typical example is if the commit is described as 'adding a button to the interface color settings form', but it has the deletefile or eval methods, then this is already a reason to consider it suspicious.but
again, there will be no beautiful solution, it won't be easy...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question