How do companys like semantic identify so many new viruses?
Results 1 to 7 of 7

Thread: How do companys like semantic identify so many new viruses?

  1. #1
    Member
    Join Date
    Aug 2003
    Posts
    30

    Question How do companys like semantic identify so many new viruses?

    I read on some sites that they are detecting so many new viruses per day. How do they discover all these new viruses and worms? Do they have servers set up signed up to all sorts of mailing list and then filter through them for malicious code? I have always wondered about this. Anyone have any ideas?

  2. #2
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    Well, I do not work for one of them, but Im thinking they go and do searches for Viruses online like any script kiddie could. Also most viruses have something in the source code that shows they are a bad proggie. Antivirus people find the "engines" the viruses use and write to find them. Also I think some may just write them themselves so people continue to buy the product. And also I think you are right about the mailing lists. Any company worth there code would want to know as soon as possible when a new one was released or written so they would be the first to protect against it and therefore gain more money from people buying the product they offer instead of a competitor. Lets not forget though, if more people used Linux than Windows we Tuxers would probably be dealing with more viruses as well. If you wrote a virus and wanted to make an impact, you would target the platform that most use. Well, Windows is what most people use, and some people honestly think all computers run Windows. So in short, Windows, which already has a not to good security model up untill recently, is targeted. Wow that was a long post, sorry about that.
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

  3. #3
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Their scanning program looks for virus like activity. When it finds something that looks like one of its virus signatures, it captures that file in a quarantine. Then you can choose whether to send the file to Symantec or not.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    472
    They also rely on users submitting malicious as files...and analysing them
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  5. #5
    Member
    Join Date
    Aug 2003
    Posts
    49
    Many elite universitys have classes where they create viruses but are supposed to destroy them on disk by using a simple microwave so they are not to be exposed to the world wide web but the ones that get out im sure they report after they see this they report new viruses to such companys


    this can account for some
    Spread Firefox.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Curiously enough, many of the viruses that they have signatures for were actually sent to them by the authors.

    In a lot of cases, the viruses never get out "into the wild" - the authors just do it for kudos

    I don't work for an AV company, but I have spoken to people who do.

    Slarty

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    AV companies pan through source code looking for something that is "static" so they can build a signature for it (if they aren't given the signature upfront by the authur).

    The AV realtime engine sits at the application layer (typically as a process) and intercepts all read to memory and write to disk calls and determines if they match any signature that the AV engine has. If not, then it lets the operation take place, if it matches, then it performs the actions setup by the user (clean, delete, quarentine, etc.). However, if a virus manages to infect a box before the signature update is done, then get ready to use a manual removal tool to get rid of it. Many of the latest viruses are aware of how AV engines operate and they have incorporated methods of remaining on the box even when they have been identified by the AV engine.

    The other method that AV engines use is hueristics. These are (usually) complex calculations that are used to determine if a series of seemingly normal behaviors are actually the work of a virus. While they are neat and sometimes handy, I find that they generate more false positives than I like to see.

    This is a pretty basic explanation of the process, but it is enough to give you an understanding.

    Hope this helps!

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •