Re: Question about Viruses

["Dr. Neal Krawetz" <hf () hackerfactor com>]

On Fri Jul  7 09:11:01 2006, Dude VanWinkle wrote:
> Has anyone heard of a virus masquerading as another virus in order to
> avoid detection.
>
> Well you wouldnt be avoiding detection per se, just avoiding correct
> identification.
>
> How hard would it be to throw a signature for, let say
> troj_stargpag.qy in your app that was really a (insert favorite/least
> favorite virus here)
>
> -JP

Hi JP,

1. Has anyone heard of this?
Only in theory, but not in practice.

2. Is it easy to do?
Yes.  Copying a signature is trivial.  Most AV just look for a set of bytes.
Set "char *Sig={byte,byte,byte...};" and you'll trigger it.

3. Why would you want to do this?
As a virus writer, you know that most AV systems are single threaded.
If you plant a ton of signatures that take time to clean, then you can be 
sure the AV won't be looking for you while it is busy cleaning stuff.

I don't know how some AV systems handle multiple/conflicting signatures.
If a single file tests postive for a bunch of different viruses, what
would happen?  (I think Norton takes a "first come" approach.)
I also don't know if they continue checking after cleaning the first
virus.  If they don't, then plant a fake "easy clean" virus signature
on yourself to avoid a more complicated detection.

NOTE: This is not development advice!  This is "know your enemy" and
"think like your opponent".

                                        -Neal
-- 
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
http://www.charlesriver.com/Books/BookDetail.aspx?productID=126130

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.