In Forensics Digest 5 Issue 204, Barry Irwin <bviat_private> writes: > In essence what is needed is sone kind of reliable signature as used by > Virus scanners to ID viral malware, which may often mutate slightly, Or not so slightly. > but still retains an identifyable bit pattern. Sad to say, this is not always so: some viruses are extremely polymorphic, and their maps require algorithmic techniques. > Maybe some infpor on the guys in AV labs on how to best look for this? Hey, why not just use an antivirus scanner on the image? I'd recommend using a "paranoid" scan, though, so that nothing it _can_ recognize is missed. [One can use grep to get rid of the false positives, at least with the scanner I use.] Moreover, it's easy to keep these tools updated... in other words, no extra effort need be expended by *us*. :-) [I really doubt that the AV folks are going to make the details of their scanner algorithms -- after all, that's their bread and butter. And using Open AntiVirus doesn't really solve the problem -- that detects only about 17% of the known malware out there, as I recall. [Of course, the 17% it *does* detect probably is more likely to be viruses one would expect to see -- but viruses aren't the main concern, I suspect: it's the OTHER malware that concerns us here.] > Failing that, it shouldnt be too difficult to concoct a tool that can > look at some of the following charataristics and provide a weighted > rating of possible malware: > - Filesize ( +- X number of bytes) > - Magic values ( often these will just be ELF I'm sure) > - Possibly look at the ELF structure of the file, count number of > program, headers, and Datasegments. The DS should be the one that > changes when people rebuild with new IP's etc. I've got code > somewhere that works out checksums for each elf object - possibly > match on the elf program segment checksum? - The good old strings > match? In other words, use well chosen heuristics. Yes, indeed, but it's better to use that only after exact identification has been used by a current, top quality scanner. -BPB University of Michigan... AntiVirus Team Leader <http://www.umich.edu/~virus-busters/> Data Recovery Team Leader <http://www.umich.edu/~wwwitd/data-recovery/> PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 11:29:15 PST