Focus on Virus
Back to list
RE: Extracting signature snippets from AV databases
May 10 2006 06:37PM
Clemens, Dan (Dan Clemens healthsouth com)
>What I'm trying to figure out is how to 'smoke test' new builds, and to
ethically and fully demonstrate >(to the CEO, to outsiders) that the
protection works. We're in alpha test, and beta is approaching fast.
What ethical dilemmas would come up from making sure your av is working
From: Nick FitzGerald [mailto:nick (at) virus-l.demon.co (dot) uk [email concealed]]
Sent: Tuesday, May 09, 2006 3:54 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Extracting signature snippets from AV databases
Yuri Slobodyanyuk wrote:
> SideNote: few years ago I watched the heated dabate on some forum
> remember any details) where AV vendor representative was accusing
> open-source AV developers of reverse-engineering the virus-signatures
> instead of gathering their own, so logic says it has been done before
> by someone.
Yes -- the Open AntiVirus group had a "signature extractor" that
basically took a sample of a piece of malware detected by a scanner then
successively munged it (overwriting various sized and location blocks
with nulls IIRC) until the scanner didn't detect it. Applying this
approach from several starting points and iterating eventually gives you
a suitably small-ish "chunk" of the original file that appears
necessary to its detection, at least relative to the specific scanner in
the harness. Said "chunk" was then added to OAV's detection database.
For a dumb, brute-force string scanner like OAV's and for some simple
types of malware this can produce marginally useful "signatures", if
detection of relatively static objects (such as non-morphing malware,
which includes most self-mailers) is your objective.
It is probably even a defensible business model if you have no ethics.
However, taking such a "signature" and sticking it into an arbitrary
file at an arbitrary offset (as the OP is apparently planning on doing)
is not even guaranteed to trigger the original scanner such a
"signature" was extracted from, for reasons I mentioned in my earlier
post and also described by Robert Sandilands.
That the OP was apparently unaware of these basic issues and limitations
of his proposed approach is rather worrying, given he is the developer
of a security product.
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.
[ reply ]
Copyright 2010, SecurityFocus