Signature Quality

Discussion in 'other anti-virus software' started by rerun2, May 15, 2004.

Thread Status:
Not open for further replies.
  1. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Reading the thread about "Hardest AVs to fool" quite closely...

    I had some questions of my own...

    What determines quality signatures? I am mostly talking about the signatures for specific types of malware (ie: not including heuristics and memory scanning)? I hear the AT ewido security suite uses very good signatures. How is this determined?

    Is there any way to grade the performance of each AV as far as quality signatures are concerned? Can testing be done to see the signature quality of an AV? I read of one thread at DSLR where Andreas Haak attemped this sort of test with hex edited samples. Is this reliable testing?
     
  2. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Hi,

    Basic requirements for a sig. are :

    - Should be present in any version of the malware (especially true for the backdoors/trojans which configuration - listening port, notification address, etc. - can be edited) ;

    - Should not be present in any clean file (no false/positives). This is why a signature can consists in one or several offsets plus the first few bytes supposed to be found at these offsets and/or a hash of the following bytes.

    Then, it should not be bypassed too easily (but I doubt all AV developpers actually consider that malware patching/hexing is an issue, although it is clear that it is more and more widely used by those that propagate trojan horses), then, I'd say :

    - The piece of code involved should be "vital" for the malware : if it is replaced by something else that does not have the same effect, the program should not work.

    - The sig. should not contain ASCII strings that could be changed (most basic hexing consists in changing some cleartext strings from lowercase to uppercase, or the opposite) ;

    - it should be "rebasing-proof", that is, it should not contain absolute addresses (see http://home.arcor.de/scheinsicherheit/rebasing.htm) ;

    - the offset of the signature should not be in the form "@ entry point", since it is easy to change the offset of the entry point in the PE header in such a way that it will point to an instruction (added by the "hacker") pointing itself to the original enry point.

    - It should not contain instructions that can be replaced too easily by equivalent instructions (same meaning) of same length (same number of bytes in the binary file).

    Moreover, if the malware is usually found in a packed
    form (by a runtime packer such as UPX/ASPack/FSG), it's better if it is picked from an unpacked version of the malware and that the AV contains an unpacking engine able to unpack the malware.
     
  3. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Thank you very much for the reply :)

    Obviously a lot goes into producing quality signatures.
     
Thread Status:
Not open for further replies.