RE: [Full-Disclosure] Show me the Virrii!

From: Nick FitzGerald (
Date: 01/07/04

  • Next message: Nick FitzGerald: "RE: [Full-Disclosure] Show me the Virrii!"
    Date: Thu, 08 Jan 2004 00:45:02 +1300

    Steve Wray <> replied to S G Masood:

    > > 4. When their heuristic engines pick up new viruses
    > > automatically, they usually have some kind of an
    > ...
    > Does anyone have reliable reports of an antivirus system firing
    > off on a heuristic?
    > I'm not aware of ever having seen one; always seems to be a
    > signature.

    Well, the answer may depend on precisely how you choose to define
    "firing off", "heuristic" and "signature"... Regardless, apart from
    what would be ridiculously limited definitions of those terms, I am
    sure I could answer "yes, all the time".

    The sophist in me wishes to point out that _any_ detection based on
    "identifying data" smaller than the object to be detected is
    necessarily "heuristic". For example, consider the simplest case of
    malware detection -- identifying a single, complete file (be it a
    Trojan Horse, monolithic replicating virus or what have you) -- and the
    simple detection method for such static targets (albeit possibly
    impractable for real-world, realtime use) of comparing a cryptographic
    hash of the entire file contents with a list of such hashes for all
    known static malware targets. Although triflingly small, there is
    always a larger than 0% probability of false positives due to the
    heuristic assumption that this probability is "low enough" for everyday
    use. Note that I am not denying the usefulness of such a heuristic in
    much everyday malware scanning. Rather, I am pointing out that such
    detection methods _are_ heuristic in nature despite the fact they are
    often considered deterministic.

    Of course, all manner of further simplifications of this basic approach
    -- from the crudest of simple short sub-string matches through the
    sometimes hugely elegant evaluations of code emulator outputs --
    commonly used in varying numbers and forms in all currently
    "successful" virus scanners are equally clearly "heuristic" in this

    However, let's accept for now that by "heuristic" we mean detection
    methods much "looser" and much less deterministic than comparison of
    cyrptographic file hashes. Many scanners have emulators, code
    analysers, groups of detection strings indicative of functionality that
    typically falls together in malware and seldom is seen together in
    "legitimate" programs and so on. These make detections of previously
    unseen malware all the time. Further, some products have (to varying
    degrees) eschewed the notion that precise identification is the be all
    and end all of malware detection, with the developers deliberately
    making their product's detection of known and analysed malware quite
    "loose". The point of such "sloppy" deetction is that it will, by and
    large, detect new and previosuly unseen malware variants while not
    detecting non-malware programs.

    All this leads to continual "heuristic" detections. Of course, in some
    products these heuristic detections may not seem like such unless you
    know what to look for. For example, NAI's (aka McAfee) detection
    engine uses a lot of "generic" detection drivers. In effect these work
    by being able to detect a large number of specific variants of a known
    malware family (handy when different disinfection and system restore
    information is necessary for different variants), but also have a
    notion of a code profile (my term, for lack of a better one) for the
    family in question. Many new variants are thus detected by the
    "profile" rather than by information pertinent to a specific variant.
    The engine may report many (or even all -- someone from NAI may wish to
    step in and help me here...) of the detections from such a driver as
    "<family_name>.gen" despite the fact the disinfection engine will know
    the right thing to do for any specifically detected variants.

    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    Full-Disclosure - We believe in it.

  • Next message: Nick FitzGerald: "RE: [Full-Disclosure] Show me the Virrii!"

    Relevant Pages