Focus on Virus
RE: Extracting signature snippets from AV databases May 10 2006 05:02PM
Bill Stout (bill stout greenborder com) (2 replies)

I hear you, thanks.

For internal testing we run publicly sourced live viruses and other
malware in an isolated locked room, where the only media that comes out
is shredded.

What I'm trying to figure out is how to 'smoke test' new builds, and to
ethically and fully demonstrate (to the CEO, to outsiders) that the
protection works. We're in alpha test, and beta is approaching fast.

Bill Stout

-----Original Message-----
From: Nick FitzGerald [mailto:nick (at) (dot) uk [email concealed]]
Sent: Tuesday, May 09, 2006 3:54 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: Extracting signature snippets from AV databases

Yuri Slobodyanyuk wrote:

> SideNote: few years ago I watched the heated dabate on some forum
> remember any details) where AV vendor representative was accusing
> open-source AV developers of reverse-engineering the virus-signatures
> instead of gathering their own, so logic
> says it has been done before by someone.

Yes -- the Open AntiVirus group had a "signature extractor" that
basically took a sample of a piece of malware detected by a scanner
then successively munged it (overwriting various sized and location
blocks with nulls IIRC) until the scanner didn't detect it. Applying
this approach from several starting points and iterating eventually
gives you a suitably small-ish "chunk" of the original file that
appears necessary to its detection, at least relative to the specific
scanner in the harness. Said "chunk" was then added to OAV's detection

For a dumb, brute-force string scanner like OAV's and for some simple
types of malware this can produce marginally useful "signatures", if
detection of relatively static objects (such as non-morphing malware,
which includes most self-mailers) is your objective.

It is probably even a defensible business model if you have no ethics.

However, taking such a "signature" and sticking it into an arbitrary
file at an arbitrary offset (as the OP is apparently planning on doing)
is not even guaranteed to trigger the original scanner such a
"signature" was extracted from, for reasons I mentioned in my earlier
post and also described by Robert Sandilands.

That the OP was apparently unaware of these basic issues and
limitations of his proposed approach is rather worrying, given he is
the developer of a security product.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

[ reply ]
RE: Extracting signature snippets from AV databases May 11 2006 01:58AM
Nick FitzGerald (nick virus-l demon co uk)
Re: Extracting signature snippets from AV databases May 10 2006 06:51PM
Kenneth Bechtel (kbechtel teamanti-virus org)


Privacy Statement
Copyright 2010, SecurityFocus