lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.1.1.2.20040104215039.01b4a4c0@mail.btinternet.com>
From: r_i_c_h_lists at btopenworld.com (Richard Maudsley)
Subject: Show me the Virrii!

Hi,

There are not really any virus standards. The only heuristic pattern I have 
at present is for detecting mIRC worms, scanning for the ASCII string 
"mirc.ini" and "Microsoft\Windows\CurrentVersion\Run" - but I am sure there 
are many legit programs out there containing both strings. I'm not really 
sure what to look for in virus's, what do packed Trojans have in common? 
More research I guess.

-Richard Maudsley

Research funnies: The presence of "NetBus" string in all versions of the 
Trojan, including packed files -easy heuristics ;)

At 21:28 04/01/2004, you wrote:
>Hello,
>
>         I believe you could use the following method, it is used by some mail
>servers to block attachments by file type. It is not sure way, but could
>provide a option like "Possible virus".
>
>Here is an example ... take a windows exe file. Better yet take 15
>windows exe files. You will notice that the first part of each file is
>the same. I can not remember how many bits :(
>
>Now some mail servers will scan attachments and if some one renames a
>exe to .zip jpeg or something the system will still know it is a exe
>because of the first X number of bits of the file.
>
>I believe that most viruses work the same way, so a lot of the heuristic
>engines work the same way.
>
>Many "new" viruses work very simular to the way old ones do. So if you
>can get the pattern of lets say 20 viruses (which you have) you should
>be able to detect other viruses or files that may contain a virus based
>on the pattern of the file and how well it relates to a know virus
>pattern.
>
>Michael.
>
>
>
>
>On Sun, 04 Jan 2004 17:01:33 +0000
>Richard Maudsley <r_i_c_h@...penworld.com> wrote:
>
> > Hi list,
> >
> > I recently finished a stable version of my little Virus-Scanner, LMS (
> >
> > http://www.mindblock.org/lms ).
> > It currently detects 19 viruses. I need it to detect hundreds.
> >
> > How do big Anti-Virus companies get their hands on new viruses, and
> > how can I?
> >
> > Thanks,
> >       Richard Maudsley
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>--
>Hand over the Slackware CD's and back AWAY from the computer, your geek
>rights have been revoked !!!
>
>Michael Gale
>Slackware user :)
>Bluesuperman.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ