Malware Sig Structure

[Soda_Popinsky]

I've got one thread rockin' over here:
http://www.antionline.com/showthread...112#post782112

I made this one to help fill in some of the holes. How are malware definitions built? They have to be more than just a checksum. Also, is it possible to hack a definition file, like the adaware reference file, or the Norton signatures to see how they identify a certain piece of malware?

I would guess that the scanner reads a file, and compares it to some sort of list of entries. But what would the entry contain? And if polymorphism is involved, what would the def look like?

Google doesn't know, but I was wondering if someone could mess around with the adaware reference file and possibly notice if it's possible at all to reverse engineer it.

AA Reference file attached

Thanks

[helplesslyhopin]

keep in mind Soda that reverse enginnering an AdAware's ref file might not be quite a kosher thing to do.. at least not to the point where one would use it for an open source project..

also, as you probably know.. there have been a number of "spyware killer" programs that have come out based upon "hacked code" from either adaware or spybot.. nothing irks me more that someone trying to make money off of something that already is free and fairly near the best one can get (freebie wise) to clean spyware..

I have been checking out that app that groov posted in his CWS about blank manual removal thread.. it's called Prevx.. not bad from the looks of it but I would like to find some malware sites to see how well it does.. I know I could go to a porn site or two or to some crack site.

that's what we need.. a database of known malware sites to test our tools on.

[groovicus]

Try this list here:
http://users.skynet.be/bk136527/CWS/CWSdomains.htm

That should keep you busy...I would recommend using a junk system. You will get infected

[Soda_Popinsky]

Reverse engineering isn't important.. It's how they are built is what is important to me. I'd like to know how they organize them, how the sig identifies malware from one to another, and such. Reverse engineering isn't important if I can find another way.

[hobbdebub]

You really got me thinking and searching on this one Soda. It seems strange but there are no open source adware/spyware scanners. Well, I did find this on Source forge but nothing has been released for it yet. Do you think that maybe they work like virus scanners do? I know that they work by taking the signature and compare it to a database and check your files and memory for any instances of it or something that looks like it. I know that with adware registry values seem to be a big thing. If you really wanted to see how the adware works sort of get in its head so to speak maybe we could all collectively code up a piece of malware and disect it. Anyone interested? I know we have a bunch of skilled coders here. If I find anything out I will report back.

[Soda_Popinsky]

So far it seems that whatever is unique for a certain subject, it is used as a definition. I've been researching a lil' bit too. If a file has a common MD5, then that is used. If it is polymorphic, but the first 10 bytes and file size are common, then that is used. As far as I'm concerned, standardizing signatures with static malware is easy, no problem. Heuristics, OTOH, are a biyatch. The only thing I can think of are signatures that send instructions to the scanner, but then 2 things side effect, malicious definitions and slow scanning. I fear the worm that uses extensive code from hydan.

Malware in general uses reg values, adware for the BHO's and virii for startup methods. Malware isn't really a challenge to code, it's the vector that is. Exploiting IE or outlook is a daunting task, all jokes aside. Right now, it seems to be a fight between static malware and static signatures. Polymorphic malware is simple and easy to concept, heuristic scanning, is extremely hard. Hard because it's slow, can false positive, and isn't 100% accurate.