RE: Show me the Virrii!

[Nick FitzGerald <nick () virus-l demon co uk>]

Steve Wray <steve.wray () paradise net nz> replied to S G Masood:

> > 4. When their heuristic engines pick up new viruses
> > automatically, they usually have some kind of an
> ...
>
> Does anyone have reliable reports of an antivirus system firing 
> off on a heuristic?
>
> I'm not aware of ever having seen one; always seems to be a
> signature.

Well, the answer may depend on precisely how you choose to define 
"firing off", "heuristic" and "signature"...  Regardless, apart from 
what would be ridiculously limited definitions of those terms, I am 
sure I could answer "yes, all the time".

The sophist in me wishes to point out that _any_ detection based on 
"identifying data" smaller than the object to be detected is 
necessarily "heuristic".  For example, consider the simplest case of 
malware detection -- identifying a single, complete file (be it a 
Trojan Horse, monolithic replicating virus or what have you) -- and the 
simple detection method for such static targets (albeit possibly 
impractable for real-world, realtime use) of comparing a cryptographic 
hash of the entire file contents with a list of such hashes for all 
known static malware targets.  Although triflingly small, there is 
always a larger than 0% probability of false positives due to the 
heuristic assumption that this probability is "low enough" for everyday 
use.  Note that I am not denying the usefulness of such a heuristic in 
much everyday malware scanning.  Rather, I am pointing out that such 
detection methods _are_ heuristic in nature despite the fact they are 
often considered deterministic.

Of course, all manner of further simplifications of this basic approach
-- from the crudest of simple short sub-string matches through the 
sometimes hugely elegant evaluations of code emulator outputs -- 
commonly used in varying numbers and forms in all currently 
"successful" virus scanners are equally clearly "heuristic" in this 
sense.

However, let's accept for now that by "heuristic" we mean detection 
methods much "looser" and much less deterministic than comparison of 
cyrptographic file hashes.  Many scanners have emulators, code 
analysers, groups of detection strings indicative of functionality that 
typically falls together in malware and seldom is seen together in 
"legitimate" programs and so on.  These make detections of previously 
unseen malware all the time.  Further, some products have (to varying 
degrees) eschewed the notion that precise identification is the be all 
and end all of malware detection, with the developers deliberately 
making their product's detection of known and analysed malware quite 
"loose".  The point of such "sloppy" deetction is that it will, by and 
large, detect new and previosuly unseen malware variants while not 
detecting non-malware programs.

All this leads to continual "heuristic" detections.  Of course, in some 
products these heuristic detections may not seem like such unless you 
know what to look for.  For example, NAI's (aka McAfee) detection 
engine uses a lot of "generic" detection drivers.  In effect these work 
by being able to detect a large number of specific variants of a known 
malware family (handy when different disinfection and system restore 
information is necessary for different variants), but also have a 
notion of a code profile (my term, for lack of a better one) for the 
family in question.  Many new variants are thus detected by the 
"profile" rather than by information pertinent to a specific variant. 
The engine may report many (or even all -- someone from NAI may wish to 
step in and help me here...) of the detections from such a driver as 
"<family_name>.gen" despite the fact the disinfection engine will know 
the right thing to do for any specifically detected variants.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html