funsec mailing list archives
Re: write viruses? it's controversy time of the month
From: Drsolly <drsollyp () drsolly com>
Date: Wed, 30 Aug 2006 13:44:01 +0100 (BST)
good point If you want to test AV, just chop your least-favorite virus into half with a hex editor, scan each bit with AV, then dissect the part it detects in half, etc, etc. till you get the signiture, then change the source to alter that sig and see if it detects your "varient"
That's making some pretty major assumptions about how all AV products work. It's fairly safe to say that not all AV products work the same way. And I could easily think that this technique wouldn't work for some AV products. I know for sure that it wouldn't have worked with Findvirus when I was maintaining it, and I'm guessing it won't today. I'm not sure what you'd conclude when you chop you virus into two files and discover that Findvirus (correctly) says that neither of those files is a virus. I'd be interested to hear what your conclusion when seeing that, would be. Would it be "Oh, my understanding of how Findvirus works must be incorrect"?
thats what AV authors do ( I think )
Let's hope you're right! But I doubt it; my guess is that they found out that this doesn't work when they tried it.
Would that be acceptable, or is this creating a new virus, if you just change the sig and not the functionality that is?
My objection to this idea is that it simply wouldn't work. Or worse - it might work for some products because of the way they operate, but not on others because of the way they operate. You might then conclude that some products are better than others, for absolutely no good reason. This is not very far from my objection to the CR idea of writing 5,500 viruses. I don't think that they actually did create 5,500 viruses, I think they created 5,500 files, of which an unknown number were viruses, and we'll probably never be able to find out how many, which means that we (and CR) have no idea whether the test was actually useful or not. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: write viruses? it's controversy time of the month, (continued)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Valdis . Kletnieks (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- RE: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)