TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: RAYLOPEZ99
date: 2015-11-26 07:40:00
subject: Re: Does any common malwa
On Friday, November 27, 2015 at 9:37:12 AM UTC+8, FromTheRafters wrote:
 

I thank you for the "repo" link; it suggested a lot.

I also code for fun (I do demos of stuff that I want built, then generally =
hand it over to professional programmers; C# is my language), and I'm amaze=
d at how much faster an optimized program is over a non-optimized program (=
10-100x, and I do try and optimize code). 

So my next question is:  how do AV scanners scan so fast?  Do they have a s=
pecial "emulator sandbox" that will try and 'run' a suspected piece of malw=
are?  I doubt it, since if so, the virus writer will defeat such emulator b=
y simply introducing delay into their malware, such as by having the malwar=
e 'wait' 5 seconds before doing anything; this will defeat an emulator sand=
box since time is of the essence and time 
 money, so no time can be wast=
ed by AV companies.  

I think therefore the AV companies rely on SHA fingerprints, and use a look=
up table or dictionary to see if there's an infection, with 'new' malware u=
pdated hourly, daily, by the AV company.  Below is also a disclaimer from t=
he article linked to that suggests there's other things not mentioned.

Long story short:  I don't think 'polymorphic' malware is easy to detect, a=
nd I doubt AV companies spend much time trying to; rather, they go for 'cen=
ter mass' and detect 'common' viruses that have a easy-to-detect digital fi=
ngerprint, then the AV companies broadcast the daily 'solution' to such 'co=
mmon' badware.  It's quick and dirty, and for most people 'good enough'.  T=
hat's probably why you should do daily backups of important files.

I also think that's how Stuxnet and other such viruses are propagated:  unl=
ess and until such badware becomes "popular" (infects enough machines to ge=
t on the radar screen of the AV companies), it remains undetectable.

RL


The article is not an attempt at a complete description of Virut.ce, nor is=
 it intended to be. We could have gone deeper into how the virus communicat=
es with the IRC server, or examined more closely the details of how files a=
re infected, but this time we deliberately dwelt on Virut's basic mechanism=
s. Additionally, publishing a detailed description of the anti-emulation te=
chniques would be irresponsible as malware writers could then exploit this =
information.
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.