[funsec] Consumer Reports Slammed for Creating 'Test' Viruses

Drsolly drsollyp at drsolly.com
Sun Aug 20 09:29:25 CDT 2006


On Sat, 19 Aug 2006, Blue Boar wrote:

> Drsolly wrote:
> > But could you write 5,000 of them to use as a test set?
> 
> 5000 isn't my number.  Just 1 tells you something.  If I feel that some 
> large number is important, then I want to write a virus generator, don't I?

All the virus generators I've seen, write just one virus, and a bunch of 
variants.
 
> > Would they work in a Dos box? Probably not - it isn't really DOs, is't 
> > actually some sort of Dos emulation (it can't directly address the 
> > hardware, it has to be filtered through Windows, I think).
> 
> In that case, the simpler a virus, the better chance it has to run in 
> the future.  For example, if all it did were file infection, then it 
> should likely run (modulo file permissions.)

See below.
 
> > 
> > But a virus (if it could actually run) would happily infect a 
> > Windows EXE file. And then that Win EXE file wouldn't work, for reasons as 
> > per above when went back to Windows and you tried to run it.
> 
> Yes, I saw some of that myself when I was doing IT.  The win.com file 
> would let you know when you were infected. :)
> 
> > OK, specify another test strategy, I'll see if I can find the flaw.
>  >
> > Maybe you could, but a sample of one, isn't really good enough for product 
> > testing. Now - if it takes you two weeks (a really conservative estimate) 
> > to write a PE virus, how long would it take you to write 5,000?
> > 
> > Answer - 200 years. Not feasible.
> 
> So how about those virus creation kits... make one that actually works? 
>    (I.e. I make one that works, not fight with the existing ones...) How 
> about a polymorphic packer, which is actually closer to being a 
> currently used technique?

That's almost like one virus.
 
> But still, just one tells you something about how the AV product works. 
>   How many does it take to infect you?
 
Anyone who thinks that a sample of one is enough for any sensible test, 
is going to be all alone.



More information about the funsec mailing list