Re: [Openantivirus-developer] How to generate virus signatures? (Docs?)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

>Hi. It seems there's been some discussion on the lists about contributing
>to virus signatures. I have no idea how to do that, so was wondering if
>someone could point me to documentation or information on how to generate
>a virus signature for the definitions databases? I'd be glad to help out
>in this area, but not sure where to start. Pointers to documentation on
>this would be appreciated. :-)

You have basically two different possibilities.

Approach 1 - the virus-researcher approach

   1) Take a virus-infected file.
   2) Isolate the virus body.
   3) Disassemble the virus body.
   4) Determine which parts of the virus are constant, and which are data areas
      that differ between samples.
   5) Pick a sequence of bytes of sufficient length, carefully selected to
      minimize the chances of that sequence ever appearing in a non-infected
      file.  
   6) If that sequence contains any variable areas, replace them with wildcards.
   7) Check that your search string detects all copies of the virus.  If not,
      it probably includes a variable byte you missed - in that case, go back to
      step 6.
   8) Check the search string against some gigabytes of "clean" files as a minimal
      check that you are not generating any false positives.

Approach 2 - the "rip-off" approach

   1) Take a virus-infected file.
   2) Use PatternFinder to try to determine how some anti-virus program might be
      detecting the virus.
   3) Consult with a lawyer to check if the above reverse-engineering is legal
      or not where you are.  In some places this might be considered a violation
      of the intellectual property rights of the authors of the anti-virus program.