Focus on Virus
RE: Extracting signature snippets from AV databases May 08 2006 09:56PM
Bill Stout (bill stout greenborder com) (2 replies)
Re: Extracting signature snippets from AV databases May 09 2006 07:58PM
Yuri Slobodyanyuk (yurisk inbox ru) (1 replies)
Re: Extracting signature snippets from AV databases May 09 2006 10:53PM
Nick FitzGerald (nick virus-l demon co uk)
Yuri Slobodyanyuk wrote:

> SideNote: few years ago I watched the heated dabate on some forum (don't
> remember any details) where AV vendor representative was accusing
> open-source AV developers of reverse-engineering the virus-signatures
> instead of gathering their own, so logic
> says it has been done before by someone.

Yes -- the Open AntiVirus group had a "signature extractor" that
basically took a sample of a piece of malware detected by a scanner
then successively munged it (overwriting various sized and location
blocks with nulls IIRC) until the scanner didn't detect it. Applying
this approach from several starting points and iterating eventually
gives you a suitably small-ish "chunk" of the original file that
appears necessary to its detection, at least relative to the specific
scanner in the harness. Said "chunk" was then added to OAV's detection

For a dumb, brute-force string scanner like OAV's and for some simple
types of malware this can produce marginally useful "signatures", if
detection of relatively static objects (such as non-morphing malware,
which includes most self-mailers) is your objective.

It is probably even a defensible business model if you have no ethics.

However, taking such a "signature" and sticking it into an arbitrary
file at an arbitrary offset (as the OP is apparently planning on doing)
is not even guaranteed to trigger the original scanner such a
"signature" was extracted from, for reasons I mentioned in my earlier
post and also described by Robert Sandilands.

That the OP was apparently unaware of these basic issues and
limitations of his proposed approach is rather worrying, given he is
the developer of a security product.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

[ reply ]
Re: Extracting signature snippets from AV databases May 09 2006 03:04PM
Kenneth Bechtel (kbechtel teamanti-virus org)


Privacy Statement
Copyright 2010, SecurityFocus