H

hjlbx

Hello,

How is it that an AV vendor will add a malware dropper's signature to its database, but not the signatures of the actual malware that the dropper will install?

To me, this does not seem logical...but logic may not have anything to do with the reality of how things work in the AV security world.

I do not know the subtleties and complexities of how malware signatures are added to AV databases. As far as I know a signature is a hash. Other than that I know next to nothing.

Can someone shed light on the subject?

Thanks,

hjlbx
 

Nico@FMA

Level 27
Hello HJLBX,

One of the reasons is that the carrier often is a legit program, and as such its often nearly impossible in detecting a dropper carrier.
So rather then focussing on the carrier its smarter and more efficient to focus on the actual payload as most carriers are harmless.
In regards to the signature of a malware its a hell of a lot more complex then just a MD5, SHA-1, SHA-2 and CRC32 hash.
The signature of a malware file can contain lots of file DNA details that far surpasses simple SHA-1/2 and MD5 Hash keys.
Cheers
 
H

hjlbx

Hello Nico,

In the case I cited, the AV vendor added the signature of the carrier and not the payload. Bad news if someone disables signatures detection.

Thank you, I did not know the facts regarding the hashes.

hjlbx
 
  • Like
Reactions: nissimezra

Nico@FMA

Level 27
Hello Nico,

In the case I cited, the AV vendor added the signature of the carrier and not the payload. Bad news if someone disables signatures detection.

Thank you, I did not know the facts regarding the hashes.

hjlbx
Well obviously some carriers get listed as their payload might not be harmful.
Its really a case by case situation.
1: Detect both if both harmful.
2: Detect the carrier if harmful and ignore the payload if not harmful.
3: Detect the payload if harmful and ignore the carrier if not harmful.

Just 3 examples as its really a case by case thing.
 
H

hjlbx

Hello Nico,

Thank you for the clarification.

It makes sense.

hjlbx
 

gricardo21

Level 19
Verified
Hi, well i understand your point... but please read this article, then you may understand how it works (signature detection)
 
Last edited by a moderator:
  • Like
Reactions: Nico@FMA

Nico@FMA

Level 27
hi, well i understand your point... but please read this article, then you may understand how it works (signature detections)
Nice to see some users still referring to old school traditional signature systems.
Customisable and efficient yet a bit outdated compared to Next Gen signature creation tools.
 
  • Like
Reactions: gricardo21

gricardo21

Level 19
Verified
Nice to see some users still referring to old school traditional signature systems.
Customisable and efficient yet a bit outdated compared to Next Gen signature creation tools.
It is old fashion but for a basic user that doesn't understand what even the word PE means... it is a good beginning don't you think? when talking about complex things like this it is much better to crawl instead of running xD and well even tho it is old school there are some AV vendors that still use this techniques xD well i know that every AV company has their way to detect malware (so, this way it is not easy to fool the engine) in this case we have an open source AV so... everybody can be a detective :D
 

Nico@FMA

Level 27
It is old fashion but for a basic user that doesn't understand what even the word PE means... it is a good beginning don't you think? when talking about complex things like this it is much better to crawl instead of running xD and well even tho it is old school there are some AV vendors that still use this techniques xD well i know that every AV company has their way to detect malware (so, this way it is not easy to fool the engine) in this case we have an open source AV so... everybody can be a detective :D
Correct and well said +1 for you m8.
 
H

hjlbx

Hello,

So there has to be apps that do not become malicious until after they have made a connection and updated to some form of malicious capability. That does not necessarily have to occur immediately, I think.

In other words, you download it. Scan it. Scan returns clean. At some point in the future app updates and installs malicious component. Fools AV. And can remain undetected until signature is added to database.

Sorry for terminology and way explained. I know it is not correct.

Malware can only be limited by human imagination...for most part...correct?

Am I understanding correctly?

Thanks,

hjlbx
 
  • Like
Reactions: jamescv7

jamescv7

Level 61
Verified
Trusted
Hello,

So there has to be apps that do not become malicious until after they have made a connection and updated to some form of malicious capability. That does not necessarily have to occur immediately, I think.

In other words, you download it. Scan it. Scan returns clean. At some point in the future app updates and installs malicious component. Fools AV. And can remain undetected until signature is added to database.


hjlbx
This is the reason why some users stated as PARTIAL blocking, but in reality it prevents any viruses that drops on certain critical situation thus not an AV fault, its undergone on thoroughly analysis and the main file can be deleted manually if happens to block for dropping only.