Divination by antivirus



  • Astrology or computer virus detection, which one has better share of exact science? The question may look tough, but the answer is rather obvious.

    This is all about resolution: to draw a proper horoscope one has to operate on hour granularity, and to tell an infected file from a clean one knowing the date is pretty enough.


    [i]original: http://the-arioch.livejournal.com/10932.html[/i]


    Trusting antivirus is like trusting a horoscope.


    We know how the internet is full of bad viri (well, some cornersof it really are).
    We know how antivirus companies work hard to protect as from those bad bad virus-makers.
    And since they work so hard we naturally think they work in most smart intelligent ways.

    They take a magic glass and scrupulously dissect every virus to know if it is dangerous or not.

    At least that is what we must expect and hope.

    It would be rude profanity to say that they just doing guesswork, throwing coins and summing numbers on calendars, won't it? Programming is the exact science, so is protection of you private pictures and such. No one can tell if the program is dangerous virus or not just looking at the clocks and giving little attention what program really does. It just cannot be.

    Or at least you probably are used to think that way.

    Now please, take a little time and compare two links:

    • [url]http://virusscan.jotti.org/en/scanresult/03829d7b2be454b8bbe2d7bee4bdf3f58a84cd79[/url]
    • [url]http://virusscan.jotti.org/en/scanresult/03d938045c48b4a6f0920f09436d05c39c704231[/url]


    And those two as well:

    • [url]https://www.virustotal.com/file/7bee9ee5bf179e63c7693d5414b7dd59ec98f6f0339ca686e4e0845b3c9dd00c/analysis/1359752799/[/url]
    • [url]https://www.virustotal.com/file/d1648963ec78d3ba37ff5b858b629138e29d029f325bd2363465eab740714a95/analysis/1359750286/[/url]

    You can see that some antivirus tools do hold to their opinions, whether they were correct or not does not matter. They made their decision and they are sure about it. But you can see many other just inversed their judgment. They have opposite assesment of those two files. So those files are probably different programs? Or not ?

    [i]C:\Delphi\Libs>fc /b rmcvsdir.exe rmcvsdir1.exe

    Сравнение файлов rmcvsdir.exe и RMCVSDIR1.EXE

    000115FE: 32 33

    00011600: 31 30

    00011604: 39 31[/i]

    Can you believe that your antivirus is a kind of trash newspaper horoscope, that bases its report to you based on the moon phase ?

    I could not. Yet....


    [img]https://dl.dropbox.com/u/6779577/Date_Is_Virus.png[/img]



  • How your test is supposed to prove that anti virus only check creation date ?

    What I see is a hash collision : the anti virus check if the file have a common fingerprint with one of the known virus, and declare it infested if he match.

     As anybody with a minimal knowledge of md5, that kind of check can sometime lead to goofy result like this one. It's called a false positive, and it happen in medicine as well.

    Whether the antivirus you talk of is trashy or efficient need more in-depth comparison. If he do 0.01% false positive and catch 99% virus, he is pretty good ; if he do 50% false positive and let half virus go their merry way, then you have norton antivirus.

     Also, "he does not check if a file is a program" show a fair bit of cluelessness about how virus works.



  • AV do not check hashes.

    Imagine the same virus infected into two different programs. Those program would be different, but somewhere inside they would have the same (or mostly the same) virus body.

    Imagine me and you caught flue. It would be the same virus in our bodies, but if u find a way to hash our bodies - the hashes would be different.


    What AV can check is called a signature - it is not a hash, but a specific code sequence unique to that virus, whatever different applications it would inject itself into.

    This time they chosen compiler build time stamp for the code signature they check against.

    And we did not yet touched MtE and other polymorphic engines - when the two instance of the same virus had no single byte common in their bodies. You don't expect to have those totally different bodies having the same MD5 hash, do you?



    Also, "he does not check if a file is a program" show a fair bit of cluelessness about how virus works.
    Good point. However that is your claim, not mine. So it cannot show a bit about me.



    Whether the antivirus you talk of is trashy or efficient

    Mmm... did you opened the links ? Not some trashy antivirus - but half of those in the market. Half of AV tools had chosen date text for a code sequence they treat as a signature.



    Last but not least, there are a set of programs that are usually called "patchers". Sometimes they used for fair goals like localization or changing appearance (using 3rd-party Windows themes as an example needs patching) and for bad goals as well. And once i got such an FP and then got a reply from AV vendor. They told that they chosen "patcher" signature for it is frequently used by malware makers. They understand that the same "patcher" is also used for fair goals but they would not change their databases. Filtering a list of viruses by flagging the program used to build them is so convenient that they would not care for those who also conincedentally used the tool and became "collateral damage"



  • Well, if u wish, u may find a real virus with the same hashes and the same file length as the one flagged.

    Maybe they really check nothing but CRC...



  • @TheLazyHase said:

    How your test is supposed to prove that anti virus only check creation date ?

    There was a Mac anti-virus program called "MacScan" that only checked the file's creation date and size.

    That said, I highly doubt any Windows virus scanner would be caught doing that.



  • @Arioch said:

    Can you believe that your antivirus is a kind of trash newspaper horoscope, that bases its report to you based on the moon phase ?
     

    I could believe that your antivirus was... but without naming the app, it's all supposition.



  • @Arioch said:

    Astrology or computer virus detection, which one has better share of exact science? The question may look tough, but the answer is rather obvious.
    This is all about resolution: to draw a proper horoscope one has to operate on hour granularity, and to tell an infected file from a clean one knowing the date is pretty enough.

    That last sentence is a good example of conflating precision with accuracy. Exercise for the reader: how many other rhetological fallacies can you find just in this paragraph?



  • @Cassidy said:

    but without naming the app, it's all supposition.

    All the names are there, so don't know what you're talkign of.



  • @Arioch said:

    AV do not check hashes.

    Yes, they do.

    @Arioch said:

    Imagine the same virus infected into two different programs …

    See, there's your problem. Viruses—infectious code embedded inside unaware host programs—are probably close to extinction now. Modern malware typically takes the form of worms and trojans: fully self-contained programs or malicious documents. Obviously it's a lot more complicated, but viruses as they were in the 80s and early 90s are gone.



  •  @Daniel Beardsmore said:

    See, there's your problem. Viruses—infectious code embedded inside unaware host programs—are probably close to extinction now. Modern malware typically takes the form of worms and trojans: fully self-contained programs or malicious documents. Obviously it's a lot more complicated, but viruses as they were in the 80s and early 90s are gone.

    Hey look, a free game of DOOM emailed to me as an .exe.

    Most AWESOME. VIRUS. EVER.

     



  • See, there's your problem. Viruses—infectious code embedded inside unaware

    host programs—are probably close to extinction now. Modern malware typically

    takes the form of worms and trojans:



    Don't have the statistics. There always were all kind of viri. Inside-program, inside-HDD, standalone's.

    The latter were always most easy to deal with.


    And boot-kits are showing the viri are not getting simplier, but the opposite happens, more and more complex and sly they get.

    fully self-contained programs or

    malicious documents.


    Documents ? Macro-viri were always those, who were embedding themselves into "unaware host documents"



    Even then, virtually any programmer who worked with hashmaps aka dictionaries aka associative arrays - and that means virtually any programmer active today - knows well that hash collision is normal and regular thing. And that is nothing but "1st evaluation" that only means to filter most wrong candidates, so that real check can be done on few remained. Hash is not the check, it is only the mean to make less checks than you could w/o checking.


    So, well, you CRC check "ringed the bell" so what ? check the length, check the signature, check few more hashes. Easy.



    Virtually every programmer today - and AV programmers expected to be among most experienced - knows that hash collision is ubiquitous thing and means nothing per se.


    Last but not least, checking viri by hash looks ultimately useless. You should not be anything but script kiddy, to, say, change Icon or VersionInfo resource and make completely different hash. No matter how to look at this, you should have some internal invariant signature. And that signature should relate to code or at least data structures, but not to some compiler copyright message or timestamp or like that.



    And you know, i have a 1st hand experience of AV endors blocking RTL instead of particulkar vrir, because that was easier for them.

    And i don't think that is a co-incidence that AV is among the list



  • @Arioch said:

    so don't know what you're talkign of.
     

    The feelign is mutual.


  • FoxDev

    @Arioch said:

    viri

    This is TRWTF - if you're gonna troll, at least try to use correct English.

     



  • @RaceProUK said:

    @Arioch said:

    viri

    This is TRWTF - if you're gonna troll, at least try to use correct English.

     

    Not sure whether Arioch is trolling or not, but (s)he's clearly an "English as a second language" fellow, so how about not being pedantic about his/her English? If (s)he's not clear enough to make a point, ask him/her to clarify.

     



  • I don't think this proved anything. I've used quite a few antiviruses in my life and some have proved to be more efficient and some less. I'm currently using a good antivirus (Unthreat Antivirus) that has traced many threats to my system so I know that it gets the job done.


Log in to reply