funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Consumer Reports Slammed for Creating 'Test' Viruses

From: Peter Kosinar <goober () nuf ksp sk>
Date: Thu, 17 Aug 2006 02:09:05 +0200 (CEST)
Hello guys,
Let's ignore the ethical point of view (= that they shouldn't have created the viruses; regardless of the purpose of doing so) for now... There are two things which I find rather interesting from the scientific standpoint (they might reveal what this test actually measured, if anything ;-) ). 

Quoting from the original announcement:


To pit the software against novel threats not identified on signature
lists, we created 5,500 new virus variants derived from six categories
of known viruses, the kind you'd most likely encounter in real life.

That done, we unleashed the new viruses in our labs to see how well
the products detected them while scanning. Then we infected our lab
computer with each of 185 of them to see whether the products could
better detect viruses that were actively executing, based on their
behavior.
Question #1: So, they created 5500 new variants but infected the computer with 185 viruses... Why? What was so special about them?
Question #2: -How- did they create these "new variants"? I've seen tons of amateur attempts to "evaluate how AVs can detect modified variants of existing malware". In most cases, it turned out that they simply took an existing piece of malware and got rid of -visible strings- by replacing them with spaces/their own strings/etc... including strings like "KERNEL32.DLL" or "GetProcAddress" used for imports ;-)
Does anyone have more information about the approach taken by ConsumerReports? 

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: