malware-detection-awareness

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Malware Detection Awareness

恶意软件检测认知

Skill by ara.so — Security Skills collection.

技能由 ara.so 提供 — 安全技能合集。

⚠️ SECURITY WARNING

⚠️ 安全警告

This repository exhibits multiple indicators of malicious software distribution. It does NOT contain legitimate Avast Premium Security software.

此仓库存在多个恶意软件分发的特征。它并不包含合法的Avast Premium Security软件。

Threat Indicators

威胁特征

Red Flags Present

存在的危险信号

Unauthorized Distribution: Claims to provide "pre-activated" commercial software with "keygen" and "loader" tools
Trademark Abuse: Unauthorized use of Avast brand name and product names
License Violation: No legitimate license; distributing cracked commercial software
Suspicious Metrics: Artificially inflated stars (6 stars/day for empty repository)
No Source Code: Repository contains no actual code or README
Activation Bypass Claims: References to "keygen", "serial", "loader" - common malware indicators
Generic Project Name: "DragonflyTomb" unrelated to security software

未经授权分发：声称提供带有"keygen"和"loader"工具的"预激活"商业软件
商标滥用：未经授权使用Avast品牌名称及产品名称
许可证违规：无合法许可证，分发破解版商业软件
可疑数据指标：人为刷高星标（空仓库每天新增6个星标）
无源代码：仓库未包含实际代码或README文档
声称绕过激活：提及"keygen"、"serial"、"loader"——常见恶意软件特征
通用项目名称："DragonflyTomb"与安全软件无关

Common Malware Distribution Patterns

常见恶意软件分发模式

text

LEGITIMATE SOFTWARE:
✓ Official vendor website download
✓ Verified digital signatures
✓ Clear licensing terms
✓ Active development history
✓ Real source code
✓ Community engagement

MALWARE DISTRIBUTION:
✗ "Cracked" or "pre-activated" claims
✗ Keygens, loaders, patches
✗ Empty repositories with download links
✗ Star manipulation
✗ No verifiable source code
✗ Promises of "free premium" paid software

text

LEGITIMATE SOFTWARE:
✓ Official vendor website download
✓ Verified digital signatures
✓ Clear licensing terms
✓ Active development history
✓ Real source code
✓ Community engagement

MALWARE DISTRIBUTION:
✗ "Cracked" or "pre-activated" claims
✗ Keygens, loaders, patches
✗ Empty repositories with download links
✗ Star manipulation
✗ No verifiable source code
✗ Promises of "free premium" paid software

Detection Techniques

检测技术

Repository Analysis

仓库分析

// Example: Programmatic repository risk assessment
package main

import (
    "fmt"
    "strings"
)

type RiskIndicator struct {
    Pattern string
    Severity string
}

func AnalyzeRepository(description, topics []string) []RiskIndicator {
    risks := []RiskIndicator{}
    
    malwareKeywords := []string{
        "keygen", "crack", "loader", "pre-activated",
        "serial", "patch", "activator", "license key",
    }
    
    for _, keyword := range malwareKeywords {
        descLower := strings.ToLower(description)
        if strings.Contains(descLower, keyword) {
            risks = append(risks, RiskIndicator{
                Pattern: fmt.Sprintf("Malware keyword: %s", keyword),
                Severity: "CRITICAL",
            })
        }
    }
    
    // Check for trademark abuse
    commercialProducts := []string{"avast", "norton", "mcafee", "kaspersky"}
    for _, product := range commercialProducts {
        if containsAny(description, []string{product + " premium", product + " pro"}) {
            risks = append(risks, RiskIndicator{
                Pattern: fmt.Sprintf("Unauthorized %s distribution", product),
                Severity: "HIGH",
            })
        }
    }
    
    return risks
}

func containsAny(text string, patterns []string) bool {
    lower := strings.ToLower(text)
    for _, pattern := range patterns {
        if strings.Contains(lower, strings.ToLower(pattern)) {
            return true
        }
    }
    return false
}

// Example: Programmatic repository risk assessment
package main

import (
    "fmt"
    "strings"
)

type RiskIndicator struct {
    Pattern string
    Severity string
}

func AnalyzeRepository(description, topics []string) []RiskIndicator {
    risks := []RiskIndicator{}
    
    malwareKeywords := []string{
        "keygen", "crack", "loader", "pre-activated",
        "serial", "patch", "activator", "license key",
    }
    
    for _, keyword := range malwareKeywords {
        descLower := strings.ToLower(description)
        if strings.Contains(descLower, keyword) {
            risks = append(risks, RiskIndicator{
                Pattern: fmt.Sprintf("Malware keyword: %s", keyword),
                Severity: "CRITICAL",
            })
        }
    }
    
    // Check for trademark abuse
    commercialProducts := []string{"avast", "norton", "mcafee", "kaspersky"}
    for _, product := range commercialProducts {
        if containsAny(description, []string{product + " premium", product + " pro"}) {
            risks = append(risks, RiskIndicator{
                Pattern: fmt.Sprintf("Unauthorized %s distribution", product),
                Severity: "HIGH",
            })
        }
    }
    
    return risks
}

func containsAny(text string, patterns []string) bool {
    lower := strings.ToLower(text)
    for _, pattern := range patterns {
        if strings.Contains(lower, strings.ToLower(pattern)) {
            return true
        }
    }
    return false
}

URL Safety Checking

URL安全检查

package security

import (
    "net/url"
    "os"
    "encoding/json"
    "net/http"
)

// CheckURL validates URLs against threat intelligence
func CheckURL(targetURL string) (bool, error) {
    // Use VirusTotal API or similar
    apiKey := os.Getenv("VIRUSTOTAL_API_KEY")
    
    if apiKey == "" {
        return false, fmt.Errorf("API key not configured")
    }
    
    // Parse and validate URL
    parsed, err := url.Parse(targetURL)
    if err != nil {
        return false, err
    }
    
    // Check against threat databases
    // Implementation depends on chosen API
    return checkThreatDatabase(parsed.String(), apiKey)
}

func checkThreatDatabase(url, apiKey string) (bool, error) {
    // Example implementation structure
    // Real implementation would use actual threat intelligence API
    client := &http.Client{}
    req, _ := http.NewRequest("GET", 
        "https://threat-api.example.com/check", nil)
    req.Header.Set("X-API-Key", apiKey)
    
    // Process response
    // Return true if safe, false if malicious
    return false, nil
}

package security

import (
    "net/url"
    "os"
    "encoding/json"
    "net/http"
)

// CheckURL validates URLs against threat intelligence
func CheckURL(targetURL string) (bool, error) {
    // Use VirusTotal API or similar
    apiKey := os.Getenv("VIRUSTOTAL_API_KEY")
    
    if apiKey == "" {
        return false, fmt.Errorf("API key not configured")
    }
    
    // Parse and validate URL
    parsed, err := url.Parse(targetURL)
    if err != nil {
        return false, err
    }
    
    // Check against threat databases
    // Implementation depends on chosen API
    return checkThreatDatabase(parsed.String(), apiKey)
}

func checkThreatDatabase(url, apiKey string) (bool, error) {
    // Example implementation structure
    // Real implementation would use actual threat intelligence API
    client := &http.Client{}
    req, _ := http.NewRequest("GET", 
        "https://threat-api.example.com/check", nil)
    req.Header.Set("X-API-Key", apiKey)
    
    // Process response
    // Return true if safe, false if malicious
    return false, nil
}

Safe Software Practices

安全软件实践

Verification Checklist

验证清单

// VerificationChecklist for software downloads
type SoftwareSource struct {
    URL           string
    IsOfficial    bool
    HasSignature  bool
    LicenseValid  bool
    SourceVisible bool
}

func (s *SoftwareSource) IsSafe() bool {
    return s.IsOfficial && 
           s.HasSignature && 
           s.LicenseValid && 
           s.SourceVisible
}

// Example usage
func ValidateSource(sourceURL string) *SoftwareSource {
    source := &SoftwareSource{
        URL: sourceURL,
    }
    
    // Check if URL matches official vendor domain
    source.IsOfficial = verifyOfficialDomain(sourceURL)
    
    // Verify digital signature after download
    source.HasSignature = false // Set after file check
    
    // Validate license compliance
    source.LicenseValid = checkLicenseCompliance(sourceURL)
    
    // Ensure source code is available and reviewed
    source.SourceVisible = checkSourceAvailability(sourceURL)
    
    return source
}

// VerificationChecklist for software downloads
type SoftwareSource struct {
    URL           string
    IsOfficial    bool
    HasSignature  bool
    LicenseValid  bool
    SourceVisible bool
}

func (s *SoftwareSource) IsSafe() bool {
    return s.IsOfficial && 
           s.HasSignature && 
           s.LicenseValid && 
           s.SourceVisible
}

// Example usage
func ValidateSource(sourceURL string) *SoftwareSource {
    source := &SoftwareSource{
        URL: sourceURL,
    }
    
    // Check if URL matches official vendor domain
    source.IsOfficial = verifyOfficialDomain(sourceURL)
    
    // Verify digital signature after download
    source.HasSignature = false // Set after file check
    
    // Validate license compliance
    source.LicenseValid = checkLicenseCompliance(sourceURL)
    
    // Ensure source code is available and reviewed
    source.SourceVisible = checkSourceAvailability(sourceURL)
    
    return source
}

Legitimate Alternatives

合法替代方案

Official Avast Download

Avast官方下载

bash

undefined

bash

undefined

Always download from official sources

Official Avast website: https://www.avast.com

Official download verification:

1. Download only from avast.com

2. Verify digital signature (Windows):

Get-AuthenticodeSignature "avast_installer.exe"

3. Check certificate issuer

Should be: Avast Software s.r.o.

4. Purchase license through official channels

Never use keygens or cracks

undefined

undefined

Incident Response

事件响应

If Exposed to Malware

若暴露于恶意软件

bash

#!/bin/bash

bash

#!/bin/bash

Emergency response steps

1. Disconnect from network

sudo ifconfig eth0 down

2. Run full system scan with legitimate antivirus

Use Microsoft Defender (Windows) or ClamAV (Linux)

3. Check for persistence mechanisms

Linux:

sudo find /etc/cron* -type f -exec cat {} ; sudo systemctl list-unit-files | grep enabled

Windows (PowerShell):

Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}

Get-WmiObject Win32_StartupCommand

4. Review recent file changes

find /home -type f -mtime -1

5. Change all credentials

Use a clean device to change passwords

undefined

undefined

Educational Resources

教育资源

Learning Malware Detection

恶意软件检测学习资源

OWASP Malicious Software
VirusTotal - File/URL scanning
Hybrid Analysis - Malware analysis
ANY.RUN - Interactive malware sandbox

OWASP Malicious Software
VirusTotal - 文件/URL扫描
Hybrid Analysis - 恶意软件分析
ANY.RUN - 交互式恶意软件沙箱

Legitimate Open Source Security

合法开源安全工具

bash

undefined

bash

undefined

Real open-source security tools

ClamAV - Open source antivirus

sudo apt install clamav freshclam # Update signatures clamscan -r /path/to/scan

YARA - Malware identification

pip install yara-python

Volatility - Memory forensics

git clone https://github.com/volatilityfoundation/volatility3.git

undefined

git clone https://github.com/volatilityfoundation/volatility3.git

undefined

Reporting Malicious Repositories

举报恶意仓库

bash

undefined

bash

undefined

Report to GitHub

Visit: https://github.com/contact/report-abuse

Select: Report malware or abuse

Report to vendor (Avast)

Contact: https://www.avast.com/contact

Report trademark violation and malware distribution

Report to security communities

Submit to VirusTotal, abuse.ch, etc.

undefined

undefined

Key Takeaways

核心要点

Never download cracked software - always contains malware risk
Verify source authenticity - check official vendor websites
Check digital signatures - legitimate software is signed
Use official licenses - support legitimate developers
Report suspicious repositories - protect the community

This skill teaches recognition of malicious software distribution, not usage of malware.

切勿下载破解软件——始终存在恶意软件风险
验证来源真实性——检查官方供应商网站
检查数字签名——合法软件均经过签名
使用官方许可证——支持合法开发者
举报可疑仓库——保护社区安全

本技能旨在教授识别恶意软件分发，而非使用恶意软件。