Virus Detection

[telboon]

Quote:

Originally Posted by dargueta

Getting back to viruses...what MeTh0Dz meant by signatures in a virus is the "engine". Viruses use "engines" to get in underneath the security system. (Basically what it does is sneak by the security software using various techniques and then calls the main() function of the virus.)

You can create different viruses using the same engine, and create the same virus using different engines. So when antivirus software scans a file, it checks its database of known hacking/tunneling engines and sees whether one of those is present in that file. If it is, then it flags it as infected and takes appropriate action.

Tunneling With DOS Interrupts

Well, I kinda understand that the signature is probably part of the virus that does the bad stuff, BUT, the virus is doing instructions that is perfectly legit.

Let's look at a virus that spreads itself and pop up "malware is gay!" every few minutes, and spreads itself. (I'm pretty positive that malware is the superset of virus. Microsoft says blaster is malware, and nobody says a worm that caused millions of damage is sissy, or gay, in your sense.)

I'll break up the stuff it does into steps, and every step will be legitimate.

1) Checks if computer is infected (ie check if that virus exist on the computer)

2) Step 3 if it's uninfected. If it's infected, kills itself.

3) Get itself into a nice location, probably windows directory, and makes itself to start every time the computer boots.

4) Pop up "malware is gay" every few minutes

5) Put itself on every removable drives, and sends itself to every email in the address book of the victim.

As you can see, all parts of the virus is doing something legitimate. Checking filesystem of computer(what ms word also does), copying some files(many software does this), pop up a dialog box(duh!), and copying files again.

How does a virus detect this as a virus then? If it's a virus, probably many microsoft product are viruses as well! (well, some of them probably are)

To test out this concept, I made a program(using C++) that does just what I said, except for the pop up. I sent it to virus scanners, and voila! Nothing detected.

So, if a virus scanner wants to detect this specific program, which part will be the signature?

[Aereshaa]

I'm pretty sure the signature is not a sample of the actual machine code of the virus, but a hash of all parts. Your program is not strictly a virus, because it relies on the computer owner being stupid enough to run it; ergo, it's a trojan. A malware scanner will check if the file is executable, then take a hash, and compare it to the hash it has in its list of malware.

[MeTh0Dz|Reb0rn]

There is so many problems with what you just said Telboon.

First off, anyone can write (okay not anyone) a virus that won't get detected by an online virus scanner. As long as your code isn't to similar to virus definitions already in its bank.

The virus signature is a set of bytes in a virus, that have been identified as belonging to a virus. Anyone still wondering can read this, Computer virus - Wikipedia, the free encyclopedia

So basically before the virus can be detected there has to be a signature that identifies it.

[telboon]

Quote:

Originally Posted by MeTh0Dz|Reb0rn

There is so many problems with what you just said Telboon.

First off, anyone can write (okay not anyone) a virus that won't get detected by an online virus scanner. As long as your code isn't to similar to virus definitions already in its bank.

The virus signature is a set of bytes in a virus, that have been identified as belonging to a virus. Anyone still wondering can read this, Computer virus - Wikipedia, the free encyclopedia

So basically before the virus can be detected there has to be a signature that identifies it.

Firstly, my question is to ask what an signature of a virus is. I'm not self gratifying, in case you are mistaken. The program I stated is to explain my point, which is that the process of virus infecting and doing its payload is legitimate. Before the signature gets explained, here comes virus definitions. Very helpful. I know all these terms exist to identify virus(duh!), but how exactly does it do it? THAT is what I want to know, instead of what its.

Set of bytes. Now we are getting somewhere, but what exactly is that set of byte? What defines that set of byte? The set that is malicious, or just random bytes? Are antivirus makers so sure no other legitimate software will have these set of byte by coincidence? How about my program? It does what a standard virus does(or maybe just a part of it), but why isn't the "evil set of bytes" found in my program?

So basically, what is special about that set of bytes that the antivirus can be so sure of, to claim that the program is a virus?

PS: By the way, the virus scanners had heuristic scanning turned on. But just to avoid confusion, let's leave the heuristic part out, first.

[MeTh0Dz|Reb0rn]

Basically this is how I understand it.

Anti-Virus companies catch a virus, they then identify a set of bytes that can be linked to this virus, even if a few changes are made by a skiddy, and also they want to make sure that it's not a byte sequence commonly found in legit programs. This is obviously because they don't want the virus scanner to be picking up a lot of legit programs.

Also if there is no byte sequence in your code that matches a current definition then your virus or worm or whatever it is is going to pass. No piece of any malicious code I have ever written has been picked up by an online virus scanner, this is the same reason that viruses can be powerful in the wild. If their code is unique, then there will need to be a new definition before they can be caught by AVs.

Also dude antivirus scanners don't make defintions, they simply get the definitions that are sent to them from the AV company.

[telboon]

I see.. Thanks for the explanation.

BTW, I know definitions are made by AV company. I guess my phrasing was ambiguous then..

[dargueta]

One way some people get around virus definitions and stuff like that is to write a mutating program, which basically "evolves" so much that it's unrecognizeable across generations. Extremely hard to write, but even more difficult to stop, because there's so many versions.

Even if you aren't interested in that sort of thing, I suggest you look up self-modifying programs on Google; it's pretty interesting.

[ViRuSS]

yeah lol

just get over it

and im not newbie any more yeah thats rite plz ppl +rep me

[dargueta]

For...?

[marwex89]

Ah, he should just rename himself RepHunter.... Just ignore him