82

I develop my own viruses for 'scientific' purposes, namely to see if they pass the test of Virustotal.com. They all do, except for one or two scanners. Is this considered something you should report to Microsoft/McAfee/etc? If yes, how?

unor
  • 1,769
  • 1
  • 19
  • 38
John Doe
  • 819
  • 1
  • 6
  • 6
  • 1
    With respect to 'how' I'd suggest studying this kind of thing and the links at the end of the doc: https://www.icann.org/en/system/files/files/vulnerability-disclosure-05aug13-en.pdf That should also help you investigate if it's a 'yes' as well. – Ed Daniel Mar 13 '16 at 14:58
  • 38
    btw: Which scanners do detect your viruses? – marstato Mar 13 '16 at 21:10
  • 2
    When you upload to Virustotal, it gets sent to the AV companies. Sorry, no source handy, just my recollection. – h4ckNinja Mar 14 '16 at 02:21
  • 16
    Making a virus that avoids AV detection is actually pretty simple. The real deal is exploiting bugs in applications / OS to allow something you shouldn't be supposed to do - for example, a non-administrator running your "virus" elevated. With all the RnD into heuristics, most of AV detection is still based on matching the file to a list of known viruses - that's why it's so important to keep your AV detection files up to date. If you use AV in the first place, of course :) – Luaan Mar 14 '16 at 08:20
  • @marstato I think this is a "what if" kind of question. – Mindwin Mar 14 '16 at 15:19
  • John D, write a post on how your code avoids detection and let the *community* know (hearing Stallman's voices wooo). – JSmyth Mar 15 '16 at 10:43
  • 9
    is a bash script that simply runs `rm -rf /` a virus? – Petah Mar 15 '16 at 11:37
  • @Petah Yes, since there is hardly any legitimate purpose for doing so. `rm -rf .` would be a better example. – Sebb Mar 15 '16 at 14:06
  • @Sebb well its not according to VirusTotal https://www.virustotal.com/en/file/7a3bd27aacb62ae8b936d71d2cfd6918b748de0b7ea5cf229140027a7ffc732a/analysis/1458082715/ – Petah Mar 15 '16 at 22:59
  • @Petah Which is known to not detect some virus, see the question ;) We both have the same point, I just stated that this is most probably evil and therefore not the best example for the vague definition of virus . – Sebb Mar 15 '16 at 23:04
  • @Sebb: [What about `rm -rf ${DESTDIR}/` (and forget to setenv DESTDIR)?](https://github.com/valvesoftware/steam-for-linux/issues/3671) – Ben Voigt Mar 15 '16 at 23:22
  • 1
    @BenVoigt It's a bug, I assume ;) I guess you can best define a virus by its malicious intention (or theoretical intention). You could of course "forget" to set it, but never assume malice when stupidity will suffice. – Sebb Mar 15 '16 at 23:38
  • @Sebb: So all viruses need to do to get past scans is to look stupid? – Ben Voigt Mar 15 '16 at 23:40
  • @BenVoigt A car accident wont stop hurting by being an accident, you still need protection. That's why we call it 'accident' and not 'car murder'. Back to reality, as Petah tested, it works. – Sebb Mar 15 '16 at 23:43
  • It needs to do something malicious. What do your viruses do, while not getting caught? – Thorbjørn Ravn Andersen Mar 16 '16 at 09:44
  • @Petah: It doesn't reproduce, does it? – user541686 Mar 16 '16 at 10:59
  • Fellow whitehat here, nearly none of my viruses get detected, even if they are keyloggers (corporate employee trackers) or RATs (corporate remote control). What gets them flagged is elevation exploits. – ave Mar 16 '16 at 11:02

2 Answers2

136

That's a pointless exercise.

Most malware scanners match on fragments of binary code (aka virus signatures), and they check MD5 hashes of known infected code against their blacklists. Unless the virus you wrote has been deployed into the wild and is already on their blacklist, there isn't a chance they'll have your code's exact signatures on file.

The scanners that do trigger a match are most likely those using heuristics, which scan for "suspicious" behavior. For example, very few programs legitimately need to request the OS grant them the privilege to "Act as a debugger", yet that's fairly common behavior in malware, so if they find it they'll flag it.

Reporting your custom viruses to McAfee won't help anyone - not McAfee, not the public. If they don't identify your code as a virus, it's because their scanners don't have very effective heuristics (which they already know, and won't learn from your code among the hundreds of viruses they analyze per day.) And developing a match takes a researcher time and effort, which costs McAfee money. There is no value to McAfee to waste money on researching a virus that nobody can get, and adding it to their blacklists, because as a white hat you won't allow it to be released.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 51
    @JohnDoe I think John might have gone a little far pointing out that you have to be careful about your white hat status. Just saying you're white hat doesn't make you white hat. Instead, making sure any code you write can't be used for malicious purposes is the critical action. Maybe he overplayed and implied you aren't careful with your code, when what he was probably trying to say is, "Just in case, please do us all a favor and be *very* careful with your code". – Todd Wilcox Mar 13 '16 at 16:22
  • 72
    The important part of the answer which could be made clearer is that "virus scanners" are **nothing but blacklists** of known, found-in-the-wild virus code and code fragments. Some AV tools also detect suspicious/virus-like *behavior*, but they're likely to have lots of false positives and break things the user may want to work. – R.. GitHub STOP HELPING ICE Mar 13 '16 at 16:49
  • 7
    The only exception I would make to the above is if you are wanting to share a proof of concept of virus that takes advantage of an undiscovered exploit. Then I would submit samples and code with the appropriate security researchers and/or the affected software vendors to help aid in protecting the public. – Bacon Brad Mar 14 '16 at 23:57
4

you should not, actually - there's nothing obliging you to do so. You said you're white hat, so you're not intended to rob a bank using your code, and your personal research results are your very own and private unless you wish to publish them somewhere.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
  • 1
    What if OP wants to help AV publishers to strengthen their heuristics so he'll feel safer using the products himself? Even if OP only cared about himself, he might want to report his finding. Maybe he'll even get a dollar or two, or even a job offer. – kay Mar 14 '16 at 17:25
  • 5
    @Kay sounds reasonable, and I propose for OP to publish it in his blog or in security-related journal. He'll have at least +1 scientific publication, and the reach will be not just the AV makers, but a much broader security researchers community. – Alexey Vesnin Mar 14 '16 at 17:57
  • 1
    @Kay Sharing is always a good idea and benefits community. Still I find that any kind of publishing is philosophically probably a selfish act even though it would be generally deemed selfless. – Mikuz Mar 16 '16 at 09:51
  • 1
    @Mikuz taking care about yourself is good, and there's no shame to write your name next to your achievemnts – Alexey Vesnin Mar 16 '16 at 11:51
  • 2
    @Alexey Vesnin Yes, I totally support all this kind of behaviour. Also, I find that it's good for people to take care of themselves and be selfish. This is getting way out of topic though. – Mikuz Mar 16 '16 at 11:56