funsec mailing list archives
Re: write viruses? it's controversy time of the month
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Tue, 29 Aug 2006 22:31:23 -0400
On 8/29/06, Nick FitzGerald <nick () virus-l demon co uk> wrote:
Blue Boar wrote: > Interestingly, I did pretty much exactly that with Nimda.A, in order to > test a product I was developing. Afterwards, I thought I would be a > good guy, and submit samples to the AV companies. I spelled out what I > had done in the email. > > I said something to the effect of "I made a variant of Nimda.A". > > Most of the responses I got back were "That's a variant of Nimda.A. We > detect it as 'Nimda.A'" > > Uhh... thanks. Of course, that may simply mean that your definition of "variant" (perhaps, "that the file is not bit-identical to the original Nimda.A sample I started with") does not match the AV industry's definition (loosely, "that the code is not bit-level identical with the invariant parts of the virus' code" -- don't get me started on this...). Or, it may mean that your changes were "sufficiently insignificant" that all the vendors you approached ignore those parts of the code in detecting this virus (no products look at all the code in all files).
good point If you want to test AV, just chop your least-favorite virus into half with a hex editor, scan each bit with AV, then dissect the part it detects in half, etc, etc. till you get the signiture, then change the source to alter that sig and see if it detects your "varient" thats what AV authors do ( I think ) Would that be acceptable, or is this creating a new virus, if you just change the sig and not the functionality that is? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: write viruses? it's controversy time of the month, (continued)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
- Re: write viruses? it's controversy time of the month Valdis . Kletnieks (Aug 29)
- Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
- Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
- RE: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)