From: Fridrik S. <fr...@f-...> - 2002-10-05 14:06:45
|
>Hi. It seems there's been some discussion on the lists about contributing >to virus signatures. I have no idea how to do that, so was wondering if >someone could point me to documentation or information on how to generate >a virus signature for the definitions databases? I'd be glad to help out >in this area, but not sure where to start. Pointers to documentation on >this would be appreciated. :-) You have basically two different possibilities. Approach 1 - the virus-researcher approach 1) Take a virus-infected file. 2) Isolate the virus body. 3) Disassemble the virus body. 4) Determine which parts of the virus are constant, and which are data areas that differ between samples. 5) Pick a sequence of bytes of sufficient length, carefully selected to minimize the chances of that sequence ever appearing in a non-infected file. 6) If that sequence contains any variable areas, replace them with wildcards. 7) Check that your search string detects all copies of the virus. If not, it probably includes a variable byte you missed - in that case, go back to step 6. 8) Check the search string against some gigabytes of "clean" files as a minimal check that you are not generating any false positives. Approach 2 - the "rip-off" approach 1) Take a virus-infected file. 2) Use PatternFinder to try to determine how some anti-virus program might be detecting the virus. 3) Consult with a lawyer to check if the above reverse-engineering is legal or not where you are. In some places this might be considered a violation of the intellectual property rights of the authors of the anti-virus program. |