Full Disclosure mailing list archives

Re: Show me the Virrii!

From: Richard Maudsley <r_i_c_h_lists () btopenworld com>
Date: Sun, 04 Jan 2004 22:04:11 +0000

Hi,

There are not really any virus standards. The only heuristic pattern I haveat present is for detecting mIRC worms, scanning for the ASCII string"mirc.ini" and "Microsoft\Windows\CurrentVersion\Run" - but I am sure thereare many legit programs out there containing both strings. I'm not reallysure what to look for in virus's, what do packed Trojans have in common?More research I guess.


-Richard Maudsley

Research funnies: The presence of "NetBus" string in all versions of theTrojan, including packed files -easy heuristics ;)


At 21:28 04/01/2004, you wrote:

Hello,

        I believe you could use the following method, it is used by some mail
servers to block attachments by file type. It is not sure way, but could
provide a option like "Possible virus".

Here is an example ... take a windows exe file. Better yet take 15
windows exe files. You will notice that the first part of each file is
the same. I can not remember how many bits :(

Now some mail servers will scan attachments and if some one renames a
exe to .zip jpeg or something the system will still know it is a exe
because of the first X number of bits of the file.

I believe that most viruses work the same way, so a lot of the heuristic
engines work the same way.

Many "new" viruses work very simular to the way old ones do. So if you
can get the pattern of lets say 20 viruses (which you have) you should
be able to detect other viruses or files that may contain a virus based
on the pattern of the file and how well it relates to a know virus
pattern.

Michael.

On Sun, 04 Jan 2004 17:01:33 +0000
Richard Maudsley <r_i_c_h () btopenworld com> wrote:

> Hi list,
>
> I recently finished a stable version of my little Virus-Scanner, LMS (
>
> http://www.mindblock.org/lms ).
> It currently detects 19 viruses. I need it to detect hundreds.
>
> How do big Anti-Virus companies get their hands on new viruses, and
> how can I?
>
> Thanks,
>       Richard Maudsley
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Hand over the Slackware CD's and back AWAY from the computer, your geek
rights have been revoked !!!

Michael Gale
Slackware user :)
Bluesuperman.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Show me the Virrii!, (continued)
- Re: Show me the Virrii! S G Masood (Jan 04)
  - RE: Show me the Virrii! Steve Wray (Jan 05)
    - Re: Show me the Virrii! (heuristics) starlabs (Jan 05)
    - Re: Show me the Virrii! (heuristics) S G Masood (Jan 05)
    - RE: Show me the Virrii! Nick FitzGerald (Jan 07)
  - Re: Show me the Virrii! Nicob (Jan 07)
    - Re: Show me the Virrii! Nick FitzGerald (Jan 07)
    - Re: Show me the Virrii! Valdis . Kletnieks (Jan 07)
    - Re: Show me the Virrii! Nick FitzGerald (Jan 08)
- Re: Show me the Virrii! Michael Gale (Jan 04)
  - Re: Show me the Virrii! Richard Maudsley (Jan 04)
- RE: Show me the Virrii! Anthony Aykut (Jan 04)
  - RE: Show me the Virrii! Richard Maudsley (Jan 05)
    - RE: Show me the Virrii! Nick FitzGerald (Jan 07)
- Re: Show me the Virrii! Valdis . Kletnieks (Jan 04)
  - Re: Show me the Virrii! Harry Hoffman (Jan 04)
    - Re: Show me the Virrii! Valdis . Kletnieks (Jan 04)
    - RE: Show me the Virrii! Bojan Zdrnja (Jan 04)
- RE: Show me the Virrii! Paul Niranjan (Jan 04)
- Re: Show me the Virrii! Simon Østengaard (Jan 05)
  - Re: Show me the Virrii! Nick FitzGerald (Jan 07)

(Thread continues...)