Yuri Slobodyanyuk wrote:
SideNote: few years ago I watched the heated dabate on some forum (don't
remember any details) where AV vendor representative was accusing
open-source AV developers of reverse-engineering the virus-signatures
instead of gathering their own, so logic
says it has been done before by someone.
Yes -- the Open AntiVirus group had a "signature extractor" that
basically took a sample of a piece of malware detected by a scanner
then successively munged it (overwriting various sized and location
blocks with nulls IIRC) until the scanner didn't detect it. Applying
this approach from several starting points and iterating eventually
gives you a suitably small-ish "chunk" of the original file that
appears necessary to its detection, at least relative to the specific
scanner in the harness. Said "chunk" was then added to OAV's detection
database.
For a dumb, brute-force string scanner like OAV's and for some simple
types of malware this can produce marginally useful "signatures", if
detection of relatively static objects (such as non-morphing malware,
which includes most self-mailers) is your objective.
It is probably even a defensible business model if you have no ethics.
However, taking such a "signature" and sticking it into an arbitrary
file at an arbitrary offset (as the OP is apparently planning on doing)
is not even guaranteed to trigger the original scanner such a
"signature" was extracted from, for reasons I mentioned in my earlier
post and also described by Robert Sandilands.
That the OP was apparently unaware of these basic issues and
limitations of his proposed approach is rather worrying, given he is
the developer of a security product.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
