How to create a simulated virus with a virus signature

[matthias]

Hey,

I searched now for 2 days on the internet about the following problem:
I need to create simulated viruses, and I thought I can do this by
using public available virus signatures (like the clamav database).
Well I tried to attach these signatures to different files with a text-
or hexeditor, but my Virus Scanning Software did not recognize any of
them as a virus.
Can anybody tell me what I am doing wrong or how this simulated viruses
could be created ?
Thanks!

 

[legg]

Hey,

I searched now for 2 days on the internet about the following problem:
I need to create simulated viruses, and I thought I can do this by
using public available virus signatures (like the clamav database).
Well I tried to attach these signatures to different files with a text-
or hexeditor, but my Virus Scanning Software did not recognize any of
them as a virus.
Can anybody tell me what I am doing wrong or how this simulated viruses
could be created ?
Thanks!

If all you want to do is trigger AV sw -

http://www.eicar.org/anti_virus_test_file.htm

RL

 

[matthias]

thanks for that, I have tried this one already. but I do not only want
to trigger the software, I need to test some equipment with real
"virus" files, not just with that single test file.

 

[Zvi Netiv]

thanks for that, I have tried this one already. but I do not only want
to trigger the software, I need to test some equipment with real
"virus" files, not just with that single test file.

You are wasting your time. AV aren't supposed to respond to dummy viruses, only
to the real thing - with one exception: The EICAR test string.

There is no way to effectively "simulate" a virus. The way antivirus are tested
is against real viruses, and the tests are supposed to be conducted by
individuals or agencies that qualified to conduct them.

Regards, Zvi

 

[Roger Wilco]

Hey,

I searched now for 2 days on the internet about the following problem:
I need to create simulated viruses, and I thought I can do this by
using public available virus signatures (like the clamav database).
Well I tried to attach these signatures to different files with a text-
or hexeditor, but my Virus Scanning Software did not recognize any of
them as a virus.

They shouldn't - they should only detect the real viruses. AVs go to
great lengths to ensure that false positive detections are as rare as
possible - it is as important as detection of real threats is.

Can anybody tell me what I am doing wrong or how this simulated viruses
could be created ?

Somebody (Vecna?) made a program that generated false positive files
(for a specific AV) by sort of reverse engineering their definition
set - I forgot the name of the program and the AV it was aimed at
though.

I suppose real viruses could be used if extreme care was taken to make
them non-threatening - that is ensure that the system being used cannot
execute them. Exactly what are you testing that makes the EICAR test
string unacceptable?

 

[matthias]

Hey, thanks for your answer.
I am trying to test networking equipment, like a firewall or a mail
server with virus scanning abilities. So I need to send them "infected"
files to find out how many they will detect and how much time they need
to check a file for example.

 

[kurt wismer]

Hey, thanks for your answer.
I am trying to test networking equipment, like a firewall or a mail
server with virus scanning abilities. So I need to send them "infected"
files to find out how many they will detect and how much time they need
to check a file for example.

you do not need to see how many they will detect... you are not doing a
detection rate analysis of the anti-virus products (or if you are you're
doomed to generate absolutely worthless results)... an anti-virus'
effectiveness can not be meaningfully evaluated by laymen or even
experts if they have too few resources...

what you need to do is make sure the anti-virus on those devices is
working, and for that all you need is the eicar standard anti-virus test
file...

 

[Roger Wilco]

Hey, thanks for your answer.
I am trying to test networking equipment, like a firewall or a mail
server with virus scanning abilities. So I need to send them "infected"
files to find out how many they will detect and how much time they need
to check a file for example.

How many, and the computing cost, would be a function of the scanner
itself and not so much of the network devices. The EICAR file works as a
sort of "go/no go" gage for the device end (it proves the scanner at
least looks). The scanner would have to be tested professionally, there
is too much work involved in the process for an individual to accomplish
it without misleading results.

Professional testing facilities give results (about the scanner) such as
you request. Their "coverage" (how many) and the time it takes to scan
(*best tested on a diverse group of "non-infected" materials BTW) should
be listed in the results. If you want to see how detections are
handled - and the cost there - EICAR works.

*computing cost would be more important on these because most of the AVs
time would be spent on looking and not finding anyway - - unless it is a
virus server being scanned.

 

[matthias]

I wanted to let you know that in the meantime, with the help of a
collegue I continued to work on this topic. We managed to create nearly
30000 test files just containing virus signatures. We then checked them
with Symantec´s AV and got a detection rate of nearly 9%. This means
more than 2600 viruses were detected just because of their signature.

In my opinion, for not being supposed to detect a single one of them,
this is quite a high result...

 

[Zvi Netiv]

I wanted to let you know that in the meantime, with the help of a
collegue I continued to work on this topic. We managed to create nearly
30000 test files just containing virus signatures. We then checked them
with Symantec´s AV and got a detection rate of nearly 9%. This means
more than 2600 viruses were detected just because of their signature.

In my opinion, for not being supposed to detect a single one of them,
this is quite a high result...

You actually tested your AV for false positive susceptibility. ;-)

Take a look at the following:
http://groups-beta.google.com/group/alt.comp.virus/msg/93248a9d9c4986bf

Regards, Zvi