funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: write viruses? it's controversy time of the month

From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 29 Aug 2006 21:09:02 -0700
Nick FitzGerald wrote:
Of course, that may simply mean that your definition of "variant" (perhaps, "that the file is not bit-identical to the original Nimda.A sample I started with") does not match the AV industry's definition (loosely, "that the code is not bit-level identical with the invariant parts of the virus' code" -- don't get me started on this...).
Nimda.A in its detached form (not attached to a .exe) didn't change under normal circumstances.
Or, it may mean that your changes were "sufficiently insignificant" that all the vendors you approached ignore those parts of the code in detecting this virus (no products look at all the code in all files).
If memory serves, I changed on the order of 6 bytes, in the IIS scanning portion (I made it only scan 10.1.1.x).
I was left with the distinct impression that if they already had a signature match, they were happy. 


                                                BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: