6

I'm working on a uni project where I will attempt to create a malware that uses some form of genetic algorithm to "evolve" itself out of being recognized by a signature based AV software.

For this I will need to code my own small AV programmed to detect the strain of malware. So my question is, what patterns do signature based AV look for?

I can think of strings of text in the file, size of the file.

Juicy
  • 1,407
  • 4
  • 16
  • 31
  • Antivirus signatures can and do consist of all sorts of things. This can be as simple as a sequence of bytes, which if found, identifies a virus, to bit patterns with masks, and variable length patterns such as "these four bytes, followed by between 3 and 8 bytes followed by these seven bytes". – Ben Feb 11 '14 at 15:17

2 Answers2

6

Most antivirus solutions use a variety of techniques to identify malware.

The simplest (and oldest) approach is to use signatures of known malware such as MD5/SHA1 hashes, or specific strings in binaries. This technique worked more successfully with older malware which didn't have the number of variants we see today.

Next we have heuristic static analysis. This works by scanning files and looking for suspicious features such as packers, obscured code, specific library imports, etc. You could say this is the closest to the "patterns" you are talking about. One could write malware and tweak it until it isn't detected by the most common malware heuristics. These patterns and algorithms are closely guarded secrets of each antivirus vendor and they are unlikely to share them beyond generic explanations.

The last form of malware identification is through dynamic heuristic analysis. This is when malware is run in a sandbox, and the antivirus looks at what the software does. It looks at the libraries it calls, the actions it performs, whether it tries to hide itself, if it makes registry entries etc. There are lots of ways to avoid identification through dynamic analysis which are too in depth for this answer, suffice it to say that it can by bypassed.

TL;DR Nobody can tell you exactly what the patterns are for each antivirus program. There are some generic things they all look for, but the specifics are secrets.

elixenide
  • 204
  • 1
  • 3
  • 10
Daisetsu
  • 5,110
  • 1
  • 14
  • 24
2

A fruitful line of enquiry for this would likely be to look at how other A-V evasion frameworks handle the problem. AFAIK AV vendors don't make it totally open what they look for and this is likely to vary vendor to vendor.

Veil Framework is one recent example of bypassing A-V, also AVoid, also see this post

Rory McCune
  • 60,923
  • 14
  • 136
  • 217