[funsec] CME: A Total Failure -- Throw in the Towel
drsollyp at drsolly.com
Mon Mar 13 08:26:08 CST 2006
On Sun, 12 Mar 2006, Blue Boar wrote:
> Drsolly wrote:
> > OK. My favourite antivirus scanner says that "This specimen resembles
> > Yellow Wheelbarrow". Now what? I still don't know if it's CME-24 or not.
> You scanner spits out the string "CME-24" somewhere next to "Yellow
But it doesn't ...
> and/or you go to the CME site and type in
> "Win95.YellowWheelbarror at mm-wtfbbq", and it gives you back CME-24.
How do the CME people determine that what Wonder Antivirus calls Yelly
Wheelbarrow, is identical to what they call CME-24?
> Or were you instead asking about something more complicated, related to
> partial matches, and the fact that one AV may identify two files as two
> things, probably in the same family, while a second scanner says they
> are the same thing?
That's part of it. Are there any products today that do exact
identification by checksumming the static bytes of the malware?
More information about the funsec