Author Topic: Basic "Heuristics"  (Read 3366 times)

0 Members and 1 Guest are viewing this topic.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Basic "Heuristics"
« on: June 08, 2004, 04:39:47 PM »
Ok i'we been talking about this yesterday on how you could extend detection. This is just one of possible ways to check file.

TEST PROGRAM:
http://freeweb.siol.net/razor256/downloads/BasicHeuristics.zip

For testing purposes i have implimented only detection for ".txt.exe" dual extension. So all files that have only one extension or those that are not considered as threat are excluded automatically. As i have noticed that VPS contains default extension set (infectable files) it could be very easy to do this in the avast!.

I have included two blank samples with different extensions.
One will be detected and other won't. You can also test with other files,but only malware_program.txt.exe will be detected since dual extensions are suspicious (extension exe.txt is also not suspicios since TXT is the correct extension and its harmless). Files with single extension are not as suspicious as those which want to hide something.

Another check could be a wide space check. Some worms have very long space between filename and real extension. Icon usually mimics the "fake" extension. You can see the real extension only if you use Rename command on the file.

I have seen similar checking for DiamondCS WormGuard which seems to be pretty effective.

There is probably many more such "heuristic" checks that could increase possibility of catching a malware with minimal overhead (checking extension is probably something that can be performed very fast). Alwil guys probably know this since similar methods are used for mail attachements checking.

Is there any other checking method similar to "my" two?
Visit my webpage Angry Sheep Blog

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Basic "Heuristics"
« Reply #1 on: June 10, 2004, 03:44:26 AM »
Rejzor does Avast have something like this in its engine? (I like F-Secure Orion Engine which is a Pure Herustic engine and it kicks a$$)
« Last Edit: June 10, 2004, 03:44:42 AM by MacLover2000 »
"People who are really serious about software should make their own hardware." - Alan Kay