Focus on Virus
RE: Extracting signature snippets from AV databases May 10 2006 06:37PM
Clemens, Dan (Dan Clemens healthsouth com)


>What I'm trying to figure out is how to 'smoke test' new builds, and to

ethically and fully demonstrate >(to the CEO, to outsiders) that the

protection works. We're in alpha test, and beta is approaching fast.

What ethical dilemmas would come up from making sure your av is working

correctly?

-Daniel

-----Original Message-----

From: Nick FitzGerald [mailto:nick (at) virus-l.demon.co (dot) uk [email concealed]]

Sent: Tuesday, May 09, 2006 3:54 PM

To: focus-virus (at) securityfocus (dot) com [email concealed]

Subject: Re: Extracting signature snippets from AV databases

Yuri Slobodyanyuk wrote:

> SideNote: few years ago I watched the heated dabate on some forum

(don't

> remember any details) where AV vendor representative was accusing

> open-source AV developers of reverse-engineering the virus-signatures

> instead of gathering their own, so logic says it has been done before

> by someone.

Yes -- the Open AntiVirus group had a "signature extractor" that

basically took a sample of a piece of malware detected by a scanner then

successively munged it (overwriting various sized and location blocks

with nulls IIRC) until the scanner didn't detect it. Applying this

approach from several starting points and iterating eventually gives you

a suitably small-ish "chunk" of the original file that appears

necessary to its detection, at least relative to the specific scanner in

the harness. Said "chunk" was then added to OAV's detection database.

For a dumb, brute-force string scanner like OAV's and for some simple

types of malware this can produce marginally useful "signatures", if

detection of relatively static objects (such as non-morphing malware,

which includes most self-mailers) is your objective.

It is probably even a defensible business model if you have no ethics.

However, taking such a "signature" and sticking it into an arbitrary

file at an arbitrary offset (as the OP is apparently planning on doing)

is not even guaranteed to trigger the original scanner such a

"signature" was extracted from, for reasons I mentioned in my earlier

post and also described by Robert Sandilands.

That the OP was apparently unaware of these basic issues and limitations

of his proposed approach is rather worrying, given he is the developer

of a security product.

--

Nick FitzGerald

Computer Virus Consulting Ltd.

Ph/FAX: +64 3 3267092

-----------------------------------------

Confidentiality Notice: This e-mail communication and any

attachments may contain confidential and privileged information for

the use of the designated recipients named above. If you are not

the intended recipient, you are hereby notified that you have

received this communication in error and that any review,

disclosure, dissemination, distribution or copying of it or its

contents is prohibited. If you have received this communication in

error, please notify me immediately by replying to this message and

deleting it from your computer. Thank you.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus