funsec mailing list archives

Re: write viruses? it's controversy time of the month

From: Drsolly <drsollyp () drsolly com>
Date: Wed, 30 Aug 2006 13:44:01 +0100 (BST)

good point


If you want to test AV, just chop your least-favorite virus into half
with a hex editor, scan each bit with AV, then dissect the part it
detects in half, etc, etc. till you get the signiture, then change the
source to alter that sig and see if it detects your "varient"


That's making some pretty major assumptions about how all AV products 
work. 

It's fairly safe to say that not all AV products work the same way. And I 
could easily think that this technique wouldn't work for some AV 
products. 

I know for sure that it wouldn't have worked with Findvirus when I was 
maintaining it, and I'm guessing it won't today. I'm not sure what you'd 
conclude when you chop you virus into two files and discover that 
Findvirus (correctly) says that neither of those files is a virus. I'd be 
interested to hear what your conclusion when seeing that, would be. Would 
it be "Oh, my understanding of how Findvirus works must be incorrect"?

thats what AV authors do ( I think )


Let's hope you're right! But I doubt it; my guess is that they found out 
that this doesn't work when they tried it.

Would that be acceptable, or is this creating a new virus, if you just
change the sig and not the functionality that is?


My objection to this idea is that it simply wouldn't work. Or worse - it 
might work for some products because of the way they operate, but not on 
others because of the way they operate. You might then conclude that some 
products are better than others, for absolutely no good reason.

This is not very far from my objection to the CR idea of writing 5,500 
viruses. I don't think that they actually did create 5,500 viruses, I 
think they created 5,500 files, of which an unknown number were viruses, 
and we'll probably never be able to find out how many, which means that we 
(and CR) have no idea whether the test was actually useful or not.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: write viruses? it's controversy time of the month, (continued)
- - - Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
    - Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
    - Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
    - Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
    - Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 30)
    - Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
    - Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
    - Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
    - Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
    - Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
    - Re: write viruses? it's controversy time of the month Drsolly (Aug 30)
    - Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
    - Re: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
    - Re: write viruses? it's controversy time of the month Valdis . Kletnieks (Aug 29)
    - Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)
    - Re: write viruses? it's controversy time of the month Blue Boar (Aug 29)
    - RE: write viruses? it's controversy time of the month Nick FitzGerald (Aug 29)
  - Re: write viruses? it's controversy time of the month Drsolly (Aug 29)
- Re: write viruses? it's controversy time of the month Gregory Hicks (Aug 29)
- Re: write viruses? it's controversy time of the month Fergie (Aug 29)
  - Re: write viruses? it's controversy time of the month Dude VanWinkle (Aug 29)

(Thread continues...)