Re: WallWatcher - Spyware?

From: B. R. 'BeAr' Ederson (br.ederson_at_expires-2004-09-30.arcornews.de)
Date: 09/25/04


Date: Sat, 25 Sep 2004 08:35:31 +0200

On 19 Sep 2004 20:01:31 -0700, Dan Tseng - WallWatcher author wrote:

> When I wrote mainframe code in the '60's (aha! an old man!), it was
> all in Assembler or even machine language, so it would have been
> possible to experimentally change things here and there until the
> virus detectors stopped complaining, and then know what part of the
> code was triggering the problem. Thereafter, it would have been
> possible (not easy) to deliberately avoid that sequence of
> instructions in the future.

If you're just curious - you can still do the same you did in the 'old
days'. There is no need that the copy of WW you test the AV software
against is a working one. If I'm not entirely mistaken you'll find
that even heuristic identification of malware is mostly based on the
analysis of code snippets.

So you can still change a couple of bytes to test the AV software.
After you found the suspicious code region you have to use a
disassembler (on your own program ;-) ) to find the underlying
function calls.

Another first clue could be a binary comparison of suspicious and near
relative versions. (As long as there were not too many changes.) With
high-level programs it's always a good idea to compare only sections
of the whole file.

But anyway. It is an APITA way. And nothing you should try out as long
as you are not *very* interested in the cause of the false positives.
Your *responsibility* in this situation exhausts with being helpful on
requests of the AV vendors. IMHO.

BeAr

-- 
===========================================================================
= What do you mean with: "Perfection is always an illusion"?              =
===============================================================--(Oops!)===