Re: Overloading AV software, was Question about Viruses

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/7/06, Drsolly <drsollyp () drsolly com> wrote:
> On Fri, 7 Jul 2006, Richard M. Smith wrote:
>
> > >>> But for the most part massimo is right, it's a dumb strategy
> >
> > Hmm, what if the bad guys overloaded a user with virus warning messages as a
> > stratergy to get people to turn off their AV software.  For example, could a
> > Web page download a few hundred image files with known virus signatures
> > tacked on the end of each file in order to make AV software go nuts?  Could
> > the same trick be used in an HTML email message?
>
> You have a fundamental (and very common) misunderstanding about "virus
> signatures".
>
> I can only talk authoritatively about my AV software design, but I think
> most AV software today works in a similar way.
>
> So. The problem is, you think there's something called a "virus
> signature". There is, indeed, an "Alan Solomon" signature, I write it on
> cheques and suchlike, and it's pretty much the same each time I write it,
> and you can reognise that it's my signature.
>
> But there is no similar "virus signature". What there is, is a sequence of
> bytes chosen from the body of the virus, that the AV uses to determine
> whether the virus is present or not.
>
> 1) Different AV products will choose different sequences as the thing
> they're looking for.
>
> 2) Certainly the AV I wrote (and it still works this way today), and (I
> think) most other AV products, only look for that byte sequence, in the
> place(s) that it would have to be if the file is infected. So, if you
> append that byte-sequence to the end of the file, the AV will, correctly,
> say that the file is not infected.

I guess thats why the eicar site says:
-------------------------
The first 68 characters is the known string. It may be optionally
appended by any combination of whitespace characters with the total
file length not exceeding 128 characters. The only whitespace
characters allowed are the space character, tab, LF, CR, CTRL-Z. To
keep things simple the file uses only upper case letters, digits and
punctuation marks, and does not include spaces.

-------------------------

Pretty specific. This seems kind of silly to me, as any variation of
code before the detection bit would result in the detection bit being
in a different location, and therefore result in the virus not being
detected, correct?

Is this a leftover of the "Signature Wars" where people were trying to
sell their AV by saying "mine detects 60,000 viriuses", 'well mine
detects 80,000', etc, etc.?


> So, your idea won't work.

I guess thats a good thing :-(

-JP<X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.