Re: Consumer Reports Slammed for Creating 'Test' Viruses

[Drsolly <drsollyp () drsolly com>]

On Sat, 19 Aug 2006, Blue Boar wrote:

> Drsolly wrote:
> > Not so. We felt the same in 1990. I was there.
>
> So you were 10 years ahead. ;)

I don't think so - we all felt like that.
 
> > You could do what you suggested, and write 5,000 new and original 80's
> > style file infectors, show those to a dozen AV products, and discover that
> > they detect just 1% of your new viruses.
>
> That would be about the result I expect.
>
> > The BIG BIG flaw in that test, is that 80's style file infectors (which
> > means viruses that work under Dos, of course, there were no PE infectors
> > then) simple are not a threat today, because I doubt if you'll find one
> > computer in a million that is still running Dos (or one in a thousand that
> > even runs products in a Dos box, ever). And the same 80's Dos viruses
> > won't work under Windows; if you want to see why, get a bunch of Dos file
> > viruses, and try to run them under Windows.
>
> Very good, you've pointed out the fatal flaw in my strawman quip, rather 
> than addressing the point.  Which is, one could write a simple, viable 
> Windows file-infecter virus, and my expectation is that current AV 
> products will not do well at detecting it.  The point being, that AV 
> products do not do well at detecting new malware for which no signature 
> has been developed.

But could you write 5,000 of them to use as a test set?

> As a side topic, I am curious as to why DOS viruses wouldn't work well. 
>   I run a number of DOS programs under Windows, from time to time.  Do 
> you mean the typical interrupt-hooking behavior?  File protection?

Viruses aren't written for compatibility, or tested by the author. If a 
virus works well enough on his own machine, he's happy. 

Brain virus needed 360kb floppy disks to work. Italian virus wouldn't work 
on an 80286 or above, only on 8088 and 8086. 

Windows, typically, runs in protected mode. That means that there's some
operations that are forbidden. In particular, the segment registers (CS,
DS and ES), aren't actualy registers, they're somethimng a bit more
subtle, and you can't mess with them in the way that you can under Dos. If
you try, Windows crashes - freezes or BSODs. 

Would they work in a Dos box? Probably not - it isn't really DOs, is't 
actually some sort of Dos emulation (it can't directly address the 
hardware, it has to be filtered through Windows, I think).

But a virus (if it could actually run) would happily infect a 
Windows EXE file. And then that Win EXE file wouldn't work, for reasons as 
per above when went back to Windows and you tried to run it.

Now, users can tolerate pop-ups, diallers, spyware and absolutely any crap 
on their computers, unless that crap actually stops them running the 
programs they need. At that point, action is taken (which might even be 
"replace the computer") to get rid of the virus.

Windows (mostly Win 3.1, but also Win 95) did more to kill off the old
style boot, MZ and COM file infectors than AV products.

The DOC viruses came along just in time!
 
> > So, your test would "expose" the AV products as useless against new 
> > viruses, and your test would be completely wrong, because you wronte the 
> > Wrong Sort of Viruses.
>
> And how would they fare when I wrote the right kind?

OK, specify another test strategy, I'll see if I can find the flaw.
 
> > AV product testing is *difficult*. I'm not saying it's impossible, but 
> > newbies to the game, pretty much invariably get it badly wrong. Like I 
> > said, I could tell you some very ugly stories ...
>
> I don't disagree that it could be easy to get it wrong, but I kinda feel 
> like I could actually write a working virus, and point a virus scanner 
> at it.

Maybe you could, but a sample of one, isn't really good enough for product 
testing. Now - if it takes you two weeks (a really conservative estimate) 
to write a PE virus, how long would it take you to write 5,000?

Answer - 200 years. Not feasible.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.