[funsec] write viruses? it's controversy time of the month

Dude VanWinkle dudevanwinkle at gmail.com
Tue Aug 29 21:31:23 CDT 2006


On 8/29/06, Nick FitzGerald <nick at virus-l.demon.co.uk> wrote:
> Blue Boar wrote:
>
> > Interestingly, I did pretty much exactly that with Nimda.A, in order to
> > test a product I was developing.  Afterwards, I thought I would be a
> > good guy, and submit samples to the AV companies.  I spelled out what I
> > had done in the email.
> >
> > I said something to the effect of "I made a variant of Nimda.A".
> >
> > Most of the responses I got back were "That's a variant of Nimda.A.  We
> > detect it as 'Nimda.A'"
> >
> > Uhh... thanks.
>
> Of course, that may simply mean that your definition of "variant"
> (perhaps, "that the file is not bit-identical to the original Nimda.A
> sample I started with") does not match the AV industry's definition
> (loosely, "that the code is not bit-level identical with the invariant
> parts of the virus' code" -- don't get me started on this...).
>
> Or, it may mean that your changes were "sufficiently insignificant"
> that all the vendors you approached ignore those parts of the code in
> detecting this virus (no products look at all the code in all files).

good point


If you want to test AV, just chop your least-favorite virus into half
with a hex editor, scan each bit with AV, then dissect the part it
detects in half, etc, etc. till you get the signiture, then change the
source to alter that sig and see if it detects your "varient"

thats what AV authors do ( I think )

Would that be acceptable, or is this creating a new virus, if you just
change the sig and not the functionality that is?


More information about the funsec mailing list