Re: write viruses? it's controversy time of the month

[Nick FitzGerald <nick () virus-l demon co uk>]

Dude VanWinkle to me:

<<snip>>
> > Or, it may mean that your changes were "sufficiently insignificant"
> > that all the vendors you approached ignore those parts of the code in
> > detecting this virus (no products look at all the code in all files).
>
> good point

I make any other kind?   8-)

> If you want to test AV, just chop your least-favorite virus into half
> with a hex editor, scan each bit with AV, then dissect the part it
> detects in half, etc, etc. till you get the signiture, then change the
> source to alter that sig and see if it detects your "varient"

In general, this won't work with most types of virus and most products.

Contemporary virus scanners are not simply "binary grep".  Most start 
by doing file typing, so (in most cases) they can eliminate great scads 
of malware they won't have to look for in this file (e.g. the input 
file is a PE so no need to look for the many tens of thousands of 
macro, script, boot, DOS COM/EXE and other more esoteric malwares the 
scan string database "knows" of).  Many scanners then do some form of 
sanity checking, depending on the file type (e.g. it's a PE and the 
entry point is outside the file so it's corrupt and can't load, so 
don't scan further; or it's an OLE2 file whose directory shows no 
streams of the types that any known VBA macro virus can reside in so 
don't scan further).  And on it goes.  Thus a simple divide-and-conquer 
approach as suggested won't work terribly well much of the time (but it 
can work well for many/most scanners for "free form" formats such as 
most plain script formats and DOS COM files precisely because there are 
few, if any, constraints on the contents of the files that can be valid 
examples of those formats).

> thats what AV authors do ( I think )

Not now...

> Would that be acceptable, or is this creating a new virus, if you just
> change the sig and not the functionality that is?

What _is_ a virus "signature"?  There's no such thing.  Each AV 
detection engine works slightly differently on files of the same 
format, so at most there are "scan strings" for each specific 
engine/malware combination.  Even something small and apparently 
simple, like detecting that a file starts with precisely the 68 bytes 
of the EICAR antivirus test string, is no more than 128 bytes in total 
length and that none of the bytes beyond the 68th are outside the set 
0x09, 0x0A, 0x0D, 0x1A is assuredly described differently in the 
detection language of each and every engine.  Moving beyond such simple 
examples to more complex ones such as, say, PE infectors and you'll 
find that for each engine the "scan string" for each virus comprises 
some or other combination of multiple ranged checksums (using 
proprietary, in-house algorithms) and/or partial bit-patterns at 
complexly-defined offsets and locations within the file or within 
specific parts of the file, possibly combined with the presence or 
absence of various other proprietarily-defined characteristics.

Generally such "scan strings" more or less tightly "describe" 
characteristic code structures and features that seemed (to the 
analysts who wrote those detection definitions) very unlikely to appear 
in any other file of the target type.

Now, regardless of how, if you find such a critical location in the 
file of a known malware and modify it, so long as the code still runs 
and still exhibits much the same functionality (especially including 
recursive self-replication if it is a virus) you have, by definition 
(but not exclusively), made a new variant.

To answer your closing question, from the preceding discussion you will 
know that I don't find that "acceptable".


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.