Monday, May 10, 2010

million dollar idea: anti-virus application that allows for 3rd party signatures.

One of the biggest reasons in my mind that snort/sourcefire has dominated the the IDS market for as long as it has is that if you are a security researcher/analyst/geek and you know what kind of traffic you are looking for you can create your own signature and start detecting threats and malware chatter very quickly ON YOUR OWN... without waiting for your vendor to release signatures a who knows how much later.

Now... All I'm asking for in this scenario is a detection tool/engine that security geeks can use. Here are some ideas for criteria:

* hashes - good for the first pass just to save time if you have a specific known malicious file. (consider ssdeep for fuzzy hashing)
* file size (fixed or range) - never anything definitive but can be suspicious none the less.
* file name - using a pcre to detect if the file name is part of a scheme of generated file names.  ( pcre )
* packer - this can also be a sign of some malware authors using home rolled packers or just the use of a generic on rather than something more exotic.  (peid/peinfo?)
* mime type/magic number - this should better assist in verifying the actual type of file regardless of file name. (handling for gifars?)  (file -i )

* strings - like running strings -a looking for tell tale text.  (gnu strings?)
* libraries - perhaps a list of libraries being called to match against. (strings -a file.ext | grep -i ".dll")
* compiler/language - this can also be a decent clue to pointing out specific threats and variants of that threat.  (peid/peinfo?)
* hex -  a sequence of hex values that appear in the file.  (xxd?)
* asm - a sequence of instructions that are indicative of a particular piece of malware.  (windasm?)



Naturally this would simply be for detection and just like IDS signatures one would have to keep tuning signatures to get the most accurate results and the tool would have to have more options/features added to make more accurate signatures.

PROBLEM:
* this tool doesn't fix anything (just as IDS doesn't).
* chances are no big vendor is going to do this just to hold you hostage for their (often craptastic) signatures


***UPDATE:  check out the yara project.  This doesn't have all of the things I have been looking for but it's the same idea.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)