Newbie
Well, I kinda understand that the signature is probably part of the virus that does the bad stuff, BUT, the virus is doing instructions that is perfectly legit.Originally Posted by dargueta
Let's look at a virus that spreads itself and pop up "malware is gay!" every few minutes, and spreads itself. (I'm pretty positive that malware is the superset of virus. Microsoft says blaster is malware, and nobody says a worm that caused millions of damage is sissy, or gay, in your sense.)
I'll break up the stuff it does into steps, and every step will be legitimate.
1) Checks if computer is infected (ie check if that virus exist on the computer)
2) Step 3 if it's uninfected. If it's infected, kills itself.
3) Get itself into a nice location, probably windows directory, and makes itself to start every time the computer boots.
4) Pop up "malware is gay" every few minutes
5) Put itself on every removable drives, and sends itself to every email in the address book of the victim.
As you can see, all parts of the virus is doing something legitimate. Checking filesystem of computer(what ms word also does), copying some files(many software does this), pop up a dialog box(duh!), and copying files again.
How does a virus detect this as a virus then? If it's a virus, probably many microsoft product are viruses as well! (well, some of them probably are)
To test out this concept, I made a program(using C++) that does just what I said, except for the pop up. I sent it to virus scanners, and voila! Nothing detected.
So, if a virus scanner wants to detect this specific program, which part will be the signature?
I'm pretty sure the signature is not a sample of the actual machine code of the virus, but a hash of all parts. Your program is not strictly a virus, because it relies on the computer owner being stupid enough to run it; ergo, it's a trojan. A malware scanner will check if the file is executable, then take a hash, and compare it to the hash it has in its list of malware.
There is so many problems with what you just said Telboon.
First off, anyone can write (okay not anyone) a virus that won't get detected by an online virus scanner. As long as your code isn't to similar to virus definitions already in its bank.
The virus signature is a set of bytes in a virus, that have been identified as belonging to a virus. Anyone still wondering can read this, Computer virus - Wikipedia, the free encyclopedia
So basically before the virus can be detected there has to be a signature that identifies it.
Newbie
Firstly, my question is to ask what an signature of a virus is. I'm not self gratifying, in case you are mistaken. The program I stated is to explain my point, which is that the process of virus infecting and doing its payload is legitimate. Before the signature gets explained, here comes virus definitions. Very helpful. I know all these terms exist to identify virus(duh!), but how exactly does it do it? THAT is what I want to know, instead of what its.
Set of bytes. Now we are getting somewhere, but what exactly is that set of byte? What defines that set of byte? The set that is malicious, or just random bytes? Are antivirus makers so sure no other legitimate software will have these set of byte by coincidence? How about my program? It does what a standard virus does(or maybe just a part of it), but why isn't the "evil set of bytes" found in my program?
So basically, what is special about that set of bytes that the antivirus can be so sure of, to claim that the program is a virus?
PS: By the way, the virus scanners had heuristic scanning turned on. But just to avoid confusion, let's leave the heuristic part out, first.
Basically this is how I understand it.
Anti-Virus companies catch a virus, they then identify a set of bytes that can be linked to this virus, even if a few changes are made by a skiddy, and also they want to make sure that it's not a byte sequence commonly found in legit programs. This is obviously because they don't want the virus scanner to be picking up a lot of legit programs.
Also if there is no byte sequence in your code that matches a current definition then your virus or worm or whatever it is is going to pass. No piece of any malicious code I have ever written has been picked up by an online virus scanner, this is the same reason that viruses can be powerful in the wild. If their code is unique, then there will need to be a new definition before they can be caught by AVs.
Also dude antivirus scanners don't make defintions, they simply get the definitions that are sent to them from the AV company.
Newbie
I see.. Thanks for the explanation.
BTW, I know definitions are made by AV company. I guess my phrasing was ambiguous then..
One way some people get around virus definitions and stuff like that is to write a mutating program, which basically "evolves" so much that it's unrecognizeable across generations. Extremely hard to write, but even more difficult to stop, because there's so many versions.
Even if you aren't interested in that sort of thing, I suggest you look up self-modifying programs on Google; it's pretty interesting.
Learning Programmer
yeah lol
just get over it
and im not newbie any more yeah thats riteplz ppl +rep me
Last edited by ViRuSS; 09-01-2008 at 07:52 AM. Reason: OK
I didn't write here anything this is Illusion
Ah, he should just rename himself RepHunter.... Just ignore him
Hey! Check out my new Toyota keyboaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks