Saturday, January 05, 2008

everything old is new again

well, it seems like the past is coming back into style again...

there's behavioural detection in anti-virus suites, there's boot sector malware (even though it never really went away, it just died down to background noise levels) in the form of a new MBR stealthkit (anyone want to hazard a guess what this will mean for the wipe and re-install folks? 'cause format doesn't touch the MBR and fdisk isn't necessarily as straightforward as an average user would like), and now there's home made anti-virus signatures?

yup, jose nazario posts to show how to create clam anti-virus signatures for the latest storm trojan emails...

y'know, i remember when more mainstream anti-virus products had virus description languages that were simple enough that arbitrary people could create their own signatures... however, that was back in the early '90s when they were still growing out of being simple string scanners - when handling polymorphism simply meant using wildcard characters in the scan string (the precursor of today's virus signature, composed of a sequence of bytes often in hexadecimal form)...

i can honestly say i was surprised to find out that such an ancient technique could still be used with clamav; and if you think i'm being too critical of clam, look closely at the instructions in the article - those appear to be quite literally scan strings (and apparently no wildcards) in ascii form...

5 comments:

Vess said...

ClamAV is absolute, total, utter crap. The people behind it, although meaning well, don't have the first clue of how to make a proper anti-virus product. At some point some of their "signatures" were complete files infected by a parasitic virus, ferkrissake! (Maybe they still have those; haven't looked recently.)

The only reason why it kinda works is because nowadays really polymorphic viruses aren't widespread. Mostly Trojans are used instead, and an idiotically chosen scan string or even a checksum of the whole file (both approaches are used by ClamAV) will detect them.

Of course, using a known-malware scanner to protect from a family of Trojans that are constructed by using server-side polymorphism is an exercise in futility - but that particular idiocy is not a monopoly of ClamAV; many real AV products are guilty of it, too.

cdman83 said...

Who am I to contradict Dr. Bontchev? but I still try :-)

Identifying malware is by no means an easy task if we consider that it must be done in a fast, efficient manner. Why make our tasks harder by trying to expand the problem to its absolute limits and dismissing techniques that work in the "real life" because they have a theoretical limit? If a malware (or better yet - multiple ones) can be identified with a collection of strings, very good! The fact that the same detection would sound an alarm for a program that simply prints those same strings (and thus contains them) is a theoretical problem, while the existence of the malware is a real problem!

In the end the solution to the malware problem or at least the mitigation of it, will have to come, IMHO, by a global knowledge base on the tactics of the bad guys created cooperatively by the "watchers" of the internet (both volunteers and for pay). The current problem (again IMHO) is that (a) there isn't such a system (which might not even need to be ONE system, it could be a collection of systems held together loosely by a search solution) and (b) ISP's have no incentive to track such systems and "clean up" their customers.

kurt wismer said...

@cdman83:
i think vesselin's criticisms stand on their own (complete host files as signatures? yikes) but i understand where he's coming from... compared to more conventional scanners, for the purposes of detecting malware in general clamav sucks... this is something the anti-virus community has known for a long time but the broader security community seems to have never really clued into...

jose nazario said...

i'm no fan of clamav for a number of reasons, and basically agree with vess on this. i created the sigs for myself, mainly as a way to bin/count the propagation emails. that's it. trivial to write sigs for it, but that's hardly an endorsement ...

kurt wismer said...

@jose nazario:
didn't mean to point fingers your way when i said the broader security hadn't clued into clamav's shortcomings... i never really interpreted your post as an endorsement of it... it's just that i have seen many who come from a non-malware background (which excludes you if i'm not mistaken - what with the worm blog and all) singing it's praises on many occasions...