3

When Evil McJones develops Virus X and initiates its propagation, what events must transpire for AV companies (and AV testing/validation companies) to recognize Virus X?

This answer to this question gives a brief list of high-level ways the virus can be found:

  • Samples are sent in by customers
  • Malware detected by heuristic scanners (i.e. stuff that behaves like a virus) is further analysed
  • Mail blocked as spam can be analysed for malware attachments.
  • "honeypots", which are public servers or email addresses designed to collect malware
  • going undercover in malware writers communities

But, what's are the specifics? Are the non-customer initiated means of collecting viruses completely automated? Or, are there N people in a lab trying to contract something?

What heuristics / behaviors lead to a more in depth analysis? And what does the more in-depth analysis consist of? What's the "final marker" of a virus?

... And who names the darn thing?

Community
  • 1
svidgen
  • 723
  • 5
  • 14
  • Please note, the question has been edited in light of a similar question (linked above) whose answer provides a basic, high level overview of the process. The purpose of this question is to get more depth on the AV companies' (and possibly the AV scoring companies') processes. – svidgen Sep 02 '14 at 21:27

1 Answers1

3

Most AV companies have a team of analysts that monitor incoming samples collected from a variety of sources.

These sources include but are not limited to:

  • acquisition of samples from sandboxed machines working in a honeypot
  • samples sent in via customers either automatically or manually
  • samples acquired from third parties including competing vendors

The first and last ones are generally the main sources of data.

Most malware collected from these main sources are replayed and actions the malware performs are then recorded. Once this has been done, someone at the AV vendor may end up reviewing it but in some other cases it is completely automatic--it all depends on the complexity of the malware itself, but more often than not it does require someone to look at the file itself.

Naming them is a different story. Some malware ends up getting the same or at least similar name across all vendors but how they approach the naming scheme usually ends up being up to the vendor itself.

Addendum since an edit was made

Since you added an item about heuristics, it should kept in mind that heuristics don't actually work for end users, but they do allow for AV vendors to become suspicious about a file itself. Certain behaviours like a file in a OS directory being edited or a security setting being changed can trip the detection when running in the sandbox.

Sometimes it isn't about what it does on the file system but instead what operating system API calls it makes or even instructions it throws at the CPU too. There are many examples of malware just making useless instructions or performing API calls that just don't make sense--such as a file disguising as a calculator application making calls to the printer spool even though the calculator app doesn't print.

To make matters more complicated, malware authors will also often encode the file using a packer, meaning that the malicious file gets encoded in a manner that requires you to 'unpack' it in order to know what is going on--think of file compression here. AV vendors may struggle with this because certain packers can come from legitimate sources meaning that you cannot take the packing part of the application as malicious because then you could be hosing other legitimate applications making use of said packer. This can make signatures a bit of a pain.

afreak
  • 31
  • 3