funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: write viruses? it's controversy time of the month

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 30 Aug 2006 14:11:00 +1200
Blue Boar wrote:


Interestingly, I did pretty much exactly that with Nimda.A, in order to 
test a product I was developing.  Afterwards, I thought I would be a 
good guy, and submit samples to the AV companies.  I spelled out what I 
had done in the email.

I said something to the effect of "I made a variant of Nimda.A".

Most of the responses I got back were "That's a variant of Nimda.A.  We 
detect it as 'Nimda.A'"

Uhh... thanks.


Of course, that may simply mean that your definition of "variant" 
(perhaps, "that the file is not bit-identical to the original Nimda.A 
sample I started with") does not match the AV industry's definition 
(loosely, "that the code is not bit-level identical with the invariant 
parts of the virus' code" -- don't get me started on this...).

Or, it may mean that your changes were "sufficiently insignificant" 
that all the vendors you approached ignore those parts of the code in 
detecting this virus (no products look at all the code in all files).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: