funsec mailing list archives
Re: write viruses? it's controversy time of the month
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 30 Aug 2006 16:03:14 +1200
Dude VanWinkle to me: <<snip>>
Or, it may mean that your changes were "sufficiently insignificant" that all the vendors you approached ignore those parts of the code in detecting this virus (no products look at all the code in all files).good point
I make any other kind? 8-)
If you want to test AV, just chop your least-favorite virus into half with a hex editor, scan each bit with AV, then dissect the part it detects in half, etc, etc. till you get the signiture, then change the source to alter that sig and see if it detects your "varient"
In general, this won't work with most types of virus and most products. Contemporary virus scanners are not simply "binary grep". Most start by doing file typing, so (in most cases) they can eliminate great scads of malware they won't have to look for in this file (e.g. the input file is a PE so no need to look for the many tens of thousands of macro, script, boot, DOS COM/EXE and other more esoteric malwares the scan string database "knows" of). Many scanners then do some form of sanity checking, depending on the file type (e.g. it's a PE and the entry point is outside the file so it's corrupt and can't load, so don't scan further; or it's an OLE2 file whose directory shows no streams of the types that any known VBA macro virus can reside in so don't scan further). And on it goes. Thus a simple divide-and-conquer approach as suggested won't work terribly well much of the time (but it can work well for many/most scanners for "free form" formats such as most plain script formats and DOS COM files precisely because there are few, if any, constraints on the contents of the files that can be valid examples of those formats).
thats what AV authors do ( I think )
Not now...
Would that be acceptable, or is this creating a new virus, if you just change the sig and not the functionality that is?
What _is_ a virus "signature"? There's no such thing. Each AV detection engine works slightly differently on files of the same format, so at most there are "scan strings" for each specific engine/malware combination. Even something small and apparently simple, like detecting that a file starts with precisely the 68 bytes of the EICAR antivirus test string, is no more than 128 bytes in total length and that none of the bytes beyond the 68th are outside the set 0x09, 0x0A, 0x0D, 0x1A is assuredly described differently in the detection language of each and every engine. Moving beyond such simple examples to more complex ones such as, say, PE infectors and you'll find that for each engine the "scan string" for each virus comprises some or other combination of multiple ranged checksums (using proprietary, in-house algorithms) and/or partial bit-patterns at complexly-defined offsets and locations within the file or within specific parts of the file, possibly combined with the presence or absence of various other proprietarily-defined characteristics. Generally such "scan strings" more or less tightly "describe" characteristic code structures and features that seemed (to the analysts who wrote those detection definitions) very unlikely to appear in any other file of the target type. Now, regardless of how, if you find such a critical location in the file of a known malware and modify it, so long as the code still runs and still exhibits much the same functionality (especially including recursive self-replication if it is a virus) you have, by definition (but not exclusively), made a new variant. To answer your closing question, from the preceding discussion you will know that I don't find that "acceptable". Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: write viruses? it's controversy time of the month, (continued)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Valdis . Kletnieks (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- RE: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)