funsec mailing list archives
Re: Overloading AV software, was Question about Viruses
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Fri, 7 Jul 2006 14:50:30 -0400
On 7/7/06, Drsolly <drsollyp () drsolly com> wrote:
On Fri, 7 Jul 2006, Richard M. Smith wrote: > >>> But for the most part massimo is right, it's a dumb strategy > > Hmm, what if the bad guys overloaded a user with virus warning messages as a > stratergy to get people to turn off their AV software. For example, could a > Web page download a few hundred image files with known virus signatures > tacked on the end of each file in order to make AV software go nuts? Could > the same trick be used in an HTML email message? You have a fundamental (and very common) misunderstanding about "virus signatures". I can only talk authoritatively about my AV software design, but I think most AV software today works in a similar way. So. The problem is, you think there's something called a "virus signature". There is, indeed, an "Alan Solomon" signature, I write it on cheques and suchlike, and it's pretty much the same each time I write it, and you can reognise that it's my signature. But there is no similar "virus signature". What there is, is a sequence of bytes chosen from the body of the virus, that the AV uses to determine whether the virus is present or not. 1) Different AV products will choose different sequences as the thing they're looking for. 2) Certainly the AV I wrote (and it still works this way today), and (I think) most other AV products, only look for that byte sequence, in the place(s) that it would have to be if the file is infected. So, if you append that byte-sequence to the end of the file, the AV will, correctly, say that the file is not infected.
I guess thats why the eicar site says: ------------------------- The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. ------------------------- Pretty specific. This seems kind of silly to me, as any variation of code before the detection bit would result in the detection bit being in a different location, and therefore result in the virus not being detected, correct? Is this a leftover of the "Signature Wars" where people were trying to sell their AV by saying "mine detects 60,000 viriuses", 'well mine detects 80,000', etc, etc.?
So, your idea won't work.
I guess thats a good thing :-( -JP<X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)