Re: Question about Viruses

[Drsolly <drsollyp () drsolly com>]

> > 3. Why would you want to do this?
> > As a virus writer, you know that most AV systems are single threaded.

You do? Well, maybe a virus writer would think that.

But as an antivirus writer, I *know* that the online virus blockers (Virus 
Guard and Winguard") were definitely not single threaded, and I'd guess 
that the same would be true for all other AV products. It would be daft to 
do it single-threaded.

> > If you plant a ton of signatures that take time to clean, then you can be
> > sure the AV won't be looking for you while it is busy cleaning stuff.
>
> Couldn't the AV simply block the access to other files during the 
> scanning/cleaning?

No need, each time a file is opened by the operating system, the virus 
scanner is invoked to check the file first. So, if you open a second file 
while the first file is being scannedd, you'll have two instances of the 
virus checker active. If you open a third, ... and so on.

> > I don't know how some AV systems handle multiple/conflicting signatures.
> > If a single file tests postive for a bunch of different viruses, what
> > would happen?  (I think Norton takes a "first come" approach.)
>
> It depends on the AV (for example, some AVs might have different "levels 
> of confidence" of signatures; so that a signature with higher level 
> overrules the result with lower level).

Findvirus would detect the last infection, and report that. So, if a file 
were infected by Jerusalem virus and then Vacsina, it would report 
Vacsina.

If Findvirus is told to repair the file, then it would detect and repair 
Vacsina, then rescan the file, and detect and repair jerusalem, then 
rescan the file and find that it was clean.

We used to call this situation "dual infected files, but what would happen 
more often, was a "virus sandwich". The virus checks something 
about the file and doesn't infect it doubly (true for nearly all viruses). 
But if a second virus infects the file, it will often mask that marker, so 
the first virus would reinfect. Then the second virus would infect again. 
Then the first, then the second, ... and so on. So you could have a 
situation where you'd peel off layer after layer of infections, before 
eventually getting down to the original file.

> On the other hand, the question in 
> most cases reads "Is the file dangerous?" instead of "Which particular 
> breed of malware is it?", so it might be a bit irrelevant.

If you're going to do a repair, you *must* do an exact identification 
first. If you're going to delete, then it makes some sense not to do an 
exact identification.

> > I also don't know if they continue checking after cleaning the first
> > virus.  If they don't, then plant a fake "easy clean" virus signature
> > on yourself to avoid a more complicated detection.
>
> If they don't, they should be shot.
>
> Peter

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.