Dangers Of Virus Signature Checksum

Filed Under: Malware, SophosLabs

Malware authors are not stupid.

When they recognise their creations have been blocked by a particular anti-virus, they resort to finding ways around it so that their new creations would slip through the detection.

To stay ahead of the malware race is the first and foremost priority of a virus analyst. And when it comes to creating anti-virus signatures, it is important to known when and where not to write a checksum detection on the file.

Fake anti-virus malware are particularly notorious in this respect.

What this group of malware authors do is write a simple application to foil automated checksums. Some of these applications are simple in some respects.

Take for example, the following 2 pieces of malware. Looking at their resources, it would appear at first sight that the icons of both pieces of malware are one and the same.

However, if a virus analyst was to write a detection based on checkumming on the icon resource itself in the hope that it would detect both pieces of malware, that would be a mistake. There are subtle differences between the 2 icons which prevents an analyst from simply writing a checkum detection based on their icon information (highlighted in red below).

What the difference here in this case is the palette information. Here, the icons are in 8 bit format which means that their header information utilise a RGB color palette (made up of RGBQUAD structures), which also includes information for 2 bitmap masks (an AND and a XOR mask). Through subtle changes in the RGB color palette information, it is possible to easily and quickly generate 2 separate pieces of such malware.

These kind of sleight of hand techniques are specifically designed to foil anti-virus applications which resort to automated data checksumming when they are essentially still using the same piece of code.

There are of course, more complex examples and tricks these malware authors use and this is only the tip of the iceberg, so to speak. For example, other sleight of hand techniques including manipulating the RGB information by a single value for 1 channel.

Virus analysts these days have to be alert and to know what works and what doesn't when it comes to attempting to wipe a family of malware with a single anti-virus signature and all of these information and knowledge constitute part of the arsenal that virus analysts use every day in the ongoing effort to fight malware.

You might like