lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Show me the Virrii!

Richard Maudsley <r_i_c_h@...penworld.com> wrote:

> I recently finished a stable version of my little Virus-Scanner, LMS ( 
> http://www.mindblock.org/lms ).
> It currently detects 19 viruses. I need it to detect hundreds.

No -- first it needs some serious design reconsideration.

Without even running it -- in fact, without even downloading it -- I 
can see that LMS (like all the other simplistic, useless virus scanenrs 
out there -- ClamAV, OpenAntiVirus' VirusHammer, etc) is designed on 
the notion that virus detection is a (minor) variation on grep.  The 
contents of your .REF files, which can be viewed here:

   http://www.mindblock.org/refs/

show this quite clearly.

They also show that you have made several of the "classic" AV mistakes, 
suggesting that you have terribly little experience in the AV field and 
very little to no expertise of the sort that is required to run an AV 
project.

For instance, don't you think that it might be a good idea to "obscure" 
the contents of the files that contain the "detection information" used 
by your detection engine?  After all, as you are only doing basic 
string scanning, some of the strings in your detection files (.REF for 
LMS and commonly called .DAT, .DEF, "pattern files", "signature files" 
etc for other scanners) may well also be used as (parts of) detection 
patterns in other scanners which are then liable to false positive on  
your .REF files.  As it is quite unreasonable to assume that other 
developers will automatically know that your .REF files are "safe" it 
is _your_ responsibility to prevent this kind of flase positive.  As 
the other AV developers have already done the work and taken suitable 
steps to prevent your scanner making this kind of mistake on their 
.DAT, .DEF, etc files (without you even having to know anything about 
those files of theirs, you should repay the courtesy...

Continuing along this line, it seems highly likely that LMS will false 
positive on its own .REF files.  A simple download and test and sure 
enough, LMS finds 11 malwares in its own lms_s.ref file.

This test was slightly trickier than it should have been to perform as 
I downloaded all files from the LMS web site and transferred them to an 
Internet-isolated test machine.  LMS failed to work, complaining that:

   Pattern files are missing. Please update...

(Actually, it displayed "Pattern files are missing. P" on my test 
machine -- the pre-selected, hard-coded dialog element sizes and non-
resizable interface leave a great deal to be desired...)

Even running the installer version (lmsa.exe) did not occasion the 
creation of the "ref" sub-directory whose absence (and the absence 
therefrom of the lms_?.ref files) was the source of this problem.

Anyway, back to my quick analysis of LMS...

Above I suggested that LMS' .REF files should be obscured in some way 
to prevent other scanners from possibly false alarming on them and said 
that it was unreasonable to expect other developers to know or try to 
detect such files and exclude from scanning, etc.  That implies that 
.REF files have some identifiable format.  They do not.  In fact, it 
seems that apart from being line-oriented .REF files are "formatless" 
and LMS will just blindly suck at whatever is in the files.  This 
(possibly combined with some less than optimal scanning algortihms or 
gnarly design elsewhere in LMS) leaves it open to some pretty ugly DoS 
scenarios.  For example, replacing the first entry in lms_m.ref with a 
100,000 character long string of "A"s then running LMS throws no error 
or anything, but as soon as you try to scan anything LMS starts sucking 
CPU (but not memory) like crazy.  Its interface still responds to a 
click on the Halt ("stop scanning") button, but Task Manager still 
shows lms.exe as using 90+% of the CPU and it continues to do so for as 
long as I can be bothered to leave LMS running in such a state.  In 
this state LMS will also still respond to the standard Windows "close 
application" event.

Similar results are seen if the same kind of munging of the other 
lms_?.ref files is done.

There is little or no apparent sanity checking of .REF files.  For 
example, extra entries can be made in one or more of the files, which 
are happily loaded by LMS.  The only thing that seems to matter is the 
number of entries in lms_s.ref -- the number of patterns the program 
claims to have loaded is based on the count for that file, despite the 
fact that the other files can have widely disparate numbers of entries.

Do you really think you (or anyone) can develop a useful virus scanner 
in 7 to 8 days?  According to your "about" page:

   http://www.mindblock.org/lms/about.htm

LMS "was started on 29.12.03" and on 5 Jan 2004 you posted its 
availability...  Given your stated aims for LMS (also on that page):

   ...to create a small, fast, freeware virus scanner

do not include anything about reliability, accuracy (including lack of 
false positives), completeness and so on, you may well be justified in 
feeling "very pleased with the end result".

We're pleased to note you have a comprehensive QA process in place too:

   ...it looks and responds just as I imagined, which probably means
   it is a decent piece of software.

Do you really think grunt searching for single strings as short as 
eight characters (and presumably even shorter strings are possible??) 
might be the core of a reasonable scanner?

Ohhh, and "Virrii" is a terrible giveaway that you are not really 
serious about this...

> How do big Anti-Virus companies get their hands on new viruses, and how can I?

Serious antivirus companies have networks of contacts -- both with 
their customers, and between their own researchers and analysts and 
those at other AV companies -- that ensure they get more or less 
sufficient samples of "what's out there".  As a "beginner" without good 
hooks into the existing web of trust that supports those existing 
connections.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ