Detecting Virus

Apr 17, 2008 at 12:34 PM
Hi,
I downloaded and run your code. I can not understand virus detection algorithm. Can you give more detail ?. I can not find valid signature finding function. Thanks.
Coordinator
Apr 18, 2008 at 2:37 AM

erguno wrote:
Hi,
I downloaded and run your code. I can not understand virus detection algorithm. Can you give more detail ?. I can not find valid signature finding function. Thanks.

its simple. you take your malware and it hashes the file, by default it splits the file up into 10 sections and hashes each section, so basically if somebody modified the malware for their purposes then they would have to modify 10 sections for the malware to not get detected. you can change the default value of 10 to a higher value for redundancy but if the value is too high and the file gets split up in too many places then other programs that could be legitimate will get detected as malware.
Heres an example: I have a variant of smitfraud that i add to the VirusDatabase such as winantivirus pro or driver cleaner. After adding either of these programs to the database other variants of smitfraud such as AntiVirGear will also get detected because they are essentially the same program, only slightly modified.
Coordinator
Apr 18, 2008 at 2:41 AM
Edited Apr 18, 2008 at 2:46 AM
just as a side note the program still needs a lot of work. i need help implementing memory scanning, and a unpacking routine, and of course i need a lot of help to actually create a database that completes with the likes of norton and mcafee. my biggest goal is to push junk like norton off the market :p. i have this vision of 100, or a 1000 employees using my program from 8:00 to 5:00 to easilly disect and create a definition for today's malware. actually, to make this dream possible i plan on adding auto-update functionality so that as soon as a new virus is added using the VirusCollector then the VirusScanner receives the update.
Nov 8, 2008 at 3:07 PM
First, thanks for your source code. I just a newbie in C#, but I really appreciate your works.

Then, about your idea of collecting the virus definition, I had too. That was my dream too if somebody can share freely the virus definition (or the virus itself) just make their free antivirus. Actually I had some idea, then its better to share.

1- You need to compile and publish your antivirus as open source or as freeware
2-Your antivirus user can add their own virus definition by browsing to the file (virus) and add them manually. But you had better divide the virus definition into two.
3- First is from the registered user (this is from trusted registered source uploader). I call here as Former User Virus Definition (FUVD) They may have these benefits:
  • They can import/create they own virus definition file.
  • They can export the virus definition for their friends use/local use
  • They can upload the definition file to your server.
  • They can upload the virus file to your server

4- Second, virus definition from unregistered user. I call here as Unregistered User Virus Definition (UUVD) They may have these benefits:
  • They can import/create they own virus definition file
  • They can export the virus definition for their friends use/local use
  • They can upload the virus file to your server (for sharing among registered users).
5- When a user create their own definition database, you should create an option for the user to upload the virus file to your server
6-All the registered users can get the virus files (just for educational purpose, not spreading the virus)
7- Just for security and not allowing any harmful mistakenly added virus definition from registered user, you should add blacklisted list of user and virus definition. So, you can easily blacklist any user from uploading the virus definition file to your server and removed the added file definition.


OK, I think thats all. Please leave your comment. :-D