funsec mailing list archives
Re: Question about Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 20:59:16 +0100 (BST)
3. Why would you want to do this? As a virus writer, you know that most AV systems are single threaded.
You do? Well, maybe a virus writer would think that. But as an antivirus writer, I *know* that the online virus blockers (Virus Guard and Winguard") were definitely not single threaded, and I'd guess that the same would be true for all other AV products. It would be daft to do it single-threaded.
If you plant a ton of signatures that take time to clean, then you can be sure the AV won't be looking for you while it is busy cleaning stuff.Couldn't the AV simply block the access to other files during the scanning/cleaning?
No need, each time a file is opened by the operating system, the virus scanner is invoked to check the file first. So, if you open a second file while the first file is being scannedd, you'll have two instances of the virus checker active. If you open a third, ... and so on.
I don't know how some AV systems handle multiple/conflicting signatures. If a single file tests postive for a bunch of different viruses, what would happen? (I think Norton takes a "first come" approach.)It depends on the AV (for example, some AVs might have different "levels of confidence" of signatures; so that a signature with higher level overrules the result with lower level).
Findvirus would detect the last infection, and report that. So, if a file were infected by Jerusalem virus and then Vacsina, it would report Vacsina. If Findvirus is told to repair the file, then it would detect and repair Vacsina, then rescan the file, and detect and repair jerusalem, then rescan the file and find that it was clean. We used to call this situation "dual infected files, but what would happen more often, was a "virus sandwich". The virus checks something about the file and doesn't infect it doubly (true for nearly all viruses). But if a second virus infects the file, it will often mask that marker, so the first virus would reinfect. Then the second virus would infect again. Then the first, then the second, ... and so on. So you could have a situation where you'd peel off layer after layer of infections, before eventually getting down to the original file.
On the other hand, the question in most cases reads "Is the file dangerous?" instead of "Which particular breed of malware is it?", so it might be a bit irrelevant.
If you're going to do a repair, you *must* do an exact identification first. If you're going to delete, then it makes some sense not to do an exact identification.
I also don't know if they continue checking after cleaning the first virus. If they don't, then plant a fake "easy clean" virus signature on yourself to avoid a more complicated detection.If they don't, they should be shot. Peter
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Overloading AV software, try #2, (continued)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- Re: Question about Viruses Axel Pettinger (Jul 08)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses Dude VanWinkle (Jul 07)