funsec mailing list archives
Re: Question about Viruses
From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Fri, 7 Jul 2006 12:19:07 -0600 (MDT)
On Fri Jul 7 09:11:01 2006, Dude VanWinkle wrote:
Has anyone heard of a virus masquerading as another virus in order to avoid detection. Well you wouldnt be avoiding detection per se, just avoiding correct identification. How hard would it be to throw a signature for, let say troj_stargpag.qy in your app that was really a (insert favorite/least favorite virus here) -JP
Hi JP, 1. Has anyone heard of this? Only in theory, but not in practice. 2. Is it easy to do? Yes. Copying a signature is trivial. Most AV just look for a set of bytes. Set "char *Sig={byte,byte,byte...};" and you'll trigger it. 3. Why would you want to do this? As a virus writer, you know that most AV systems are single threaded. If you plant a ton of signatures that take time to clean, then you can be sure the AV won't be looking for you while it is busy cleaning stuff. I don't know how some AV systems handle multiple/conflicting signatures. If a single file tests postive for a bunch of different viruses, what would happen? (I think Norton takes a "first come" approach.) I also don't know if they continue checking after cleaning the first virus. If they don't, then plant a fake "easy clean" virus signature on yourself to avoid a more complicated detection. NOTE: This is not development advice! This is "know your enemy" and "think like your opponent". -Neal -- Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ Author of "Introduction to Network Security" (Charles River Media, 2006) http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Overloading AV software, try #2, (continued)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Peter Kosinar (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- Re: Question about Viruses Axel Pettinger (Jul 08)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses Dude VanWinkle (Jul 07)