lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.1.1.2.20040107171613.01bb51a8@mail.btinternet.com>
From: r_i_c_h_lists at btopenworld.com (Richard Maudsley)
Subject: Show me the Virrii!

I appreciate your comments (critical as they may be), I see that you work 
for an AV company, and you are right, I have no experience in the AV field; 
the reason being, I'm a kid - never worked in my life. The fact that an 
expert even bothered to download and test my program is brilliant!

Maybe you could arrange some work experience? Show me how the "experts" do it.

-Richard Maudsley

At 11:45 07/01/2004, you wrote:
>Richard Maudsley <r_i_c_h@...penworld.com> wrote:
>
> > I recently finished a stable version of my little Virus-Scanner, LMS (
> > http://www.mindblock.org/lms ).
> > It currently detects 19 viruses. I need it to detect hundreds.
>
>No -- first it needs some serious design reconsideration.
>
>Without even running it -- in fact, without even downloading it -- I
>can see that LMS (like all the other simplistic, useless virus scanenrs
>out there -- ClamAV, OpenAntiVirus' VirusHammer, etc) is designed on
>the notion that virus detection is a (minor) variation on grep.  The
>contents of your .REF files, which can be viewed here:
>
>    http://www.mindblock.org/refs/
>
>show this quite clearly.
>
>They also show that you have made several of the "classic" AV mistakes,
>suggesting that you have terribly little experience in the AV field and
>very little to no expertise of the sort that is required to run an AV
>project.
>
>For instance, don't you think that it might be a good idea to "obscure"
>the contents of the files that contain the "detection information" used
>by your detection engine?  After all, as you are only doing basic
>string scanning, some of the strings in your detection files (.REF for
>LMS and commonly called .DAT, .DEF, "pattern files", "signature files"
>etc for other scanners) may well also be used as (parts of) detection
>patterns in other scanners which are then liable to false positive on
>your .REF files.  As it is quite unreasonable to assume that other
>developers will automatically know that your .REF files are "safe" it
>is _your_ responsibility to prevent this kind of flase positive.  As
>the other AV developers have already done the work and taken suitable
>steps to prevent your scanner making this kind of mistake on their
>.DAT, .DEF, etc files (without you even having to know anything about
>those files of theirs, you should repay the courtesy...
>
>Continuing along this line, it seems highly likely that LMS will false
>positive on its own .REF files.  A simple download and test and sure
>enough, LMS finds 11 malwares in its own lms_s.ref file.
>
>This test was slightly trickier than it should have been to perform as
>I downloaded all files from the LMS web site and transferred them to an
>Internet-isolated test machine.  LMS failed to work, complaining that:
>
>    Pattern files are missing. Please update...
>
>(Actually, it displayed "Pattern files are missing. P" on my test
>machine -- the pre-selected, hard-coded dialog element sizes and non-
>resizable interface leave a great deal to be desired...)
>
>Even running the installer version (lmsa.exe) did not occasion the
>creation of the "ref" sub-directory whose absence (and the absence
>therefrom of the lms_?.ref files) was the source of this problem.
>
>Anyway, back to my quick analysis of LMS...
>
>Above I suggested that LMS' .REF files should be obscured in some way
>to prevent other scanners from possibly false alarming on them and said
>that it was unreasonable to expect other developers to know or try to
>detect such files and exclude from scanning, etc.  That implies that
>.REF files have some identifiable format.  They do not.  In fact, it
>seems that apart from being line-oriented .REF files are "formatless"
>and LMS will just blindly suck at whatever is in the files.  This
>(possibly combined with some less than optimal scanning algortihms or
>gnarly design elsewhere in LMS) leaves it open to some pretty ugly DoS
>scenarios.  For example, replacing the first entry in lms_m.ref with a
>100,000 character long string of "A"s then running LMS throws no error
>or anything, but as soon as you try to scan anything LMS starts sucking
>CPU (but not memory) like crazy.  Its interface still responds to a
>click on the Halt ("stop scanning") button, but Task Manager still
>shows lms.exe as using 90+% of the CPU and it continues to do so for as
>long as I can be bothered to leave LMS running in such a state.  In
>this state LMS will also still respond to the standard Windows "close
>application" event.
>
>Similar results are seen if the same kind of munging of the other
>lms_?.ref files is done.
>
>There is little or no apparent sanity checking of .REF files.  For
>example, extra entries can be made in one or more of the files, which
>are happily loaded by LMS.  The only thing that seems to matter is the
>number of entries in lms_s.ref -- the number of patterns the program
>claims to have loaded is based on the count for that file, despite the
>fact that the other files can have widely disparate numbers of entries.
>
>Do you really think you (or anyone) can develop a useful virus scanner
>in 7 to 8 days?  According to your "about" page:
>
>    http://www.mindblock.org/lms/about.htm
>
>LMS "was started on 29.12.03" and on 5 Jan 2004 you posted its
>availability...  Given your stated aims for LMS (also on that page):
>
>    ...to create a small, fast, freeware virus scanner
>
>do not include anything about reliability, accuracy (including lack of
>false positives), completeness and so on, you may well be justified in
>feeling "very pleased with the end result".
>
>We're pleased to note you have a comprehensive QA process in place too:
>
>    ...it looks and responds just as I imagined, which probably means
>    it is a decent piece of software.
>
>Do you really think grunt searching for single strings as short as
>eight characters (and presumably even shorter strings are possible??)
>might be the core of a reasonable scanner?
>
>Ohhh, and "Virrii" is a terrible giveaway that you are not really
>serious about this...
>
> > How do big Anti-Virus companies get their hands on new viruses, and how 
> can I?
>
>Serious antivirus companies have networks of contacts -- both with
>their customers, and between their own researchers and analysts and
>those at other AV companies -- that ensure they get more or less
>sufficient samples of "what's out there".  As a "beginner" without good
>hooks into the existing web of trust that supports those existing
>connections.
>
>
>--
>Nick FitzGerald
>Computer Virus Consulting Ltd.
>Ph/FAX: +64 3 3529854
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ