tags:

views:

193

answers:

4
+3  Q: 

Emulating virus-like behaviour?

I'm looking for a way to emulate virus-like behaviour for testing exclusions in anti-virus software. Can anyone recommend some behaviour that I can put together in a quick script which would trigger a typical realtime anti-virus scanner?

+3  A: 

Most antivirus programs work on a signature database, not heuristic detection, so most of them won't notice anything at all unless you write a program with the same signature as one that they're looking for.

If you do have a heuristic-based detection program, just try some obvious virus behavior like modifying settings that control which programs launch at startup, checking processes for common antivirus program names, etc. You may be able to look up documentation for your specific program and find out exactly which heuristics it uses to try and detect viruses based on behavior. It'll be pretty hard to find much of use by just firing off "a virus might do something like this" behaviors blindly.

Chad Birch  2009-05-07 22:02:04
+1  A: 

Back in 2000 there was the ILOVEYOU virus (love bug) which was just a VBScript that overwrote files on the infected machine with copies of itself and emailed itself out through Outlook. The Outlook hole has been fixed but the part about copying itself over all files of a specific extension is a good heuristic to try and copy.

Jeremy  2009-05-07 22:09:25
+5  A: 

Are you looking for something like the Eicar test file?

If you want to hand-code virus-like behaviour, I can tell you that I've had trouble with anti-virus applications and the LowLevelKeyboardProc() and SetWindowsHookEx() functions. If the anti-virus application uses heuristics, it usually warns about keylogger-like actions.

John T  2009-05-07 22:11:25
The Eicar test file is the standard way to test anti-virus in a safe way.
Douglas Leeder  2009-05-08 08:30:38
+1 for the Eicar link. Neat stuff
joveha  2010-02-16 17:56:48
+1  A: 

Here's an interesting article on behavior based detection, it's old but it sounds like that might be what you are looking to do.

http://www.securityfocus.com/infocus/1557

Also you may want to take a look at SARC (Symantec Antivirus Research Center). If you look into some of the latest threats, the technical details and removal instructions clue you in on what they do when infecting the system.

Here's an example:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-050707-0639-99

atom255  2009-05-07 22:44:02
Interestingly it is not straight forward to rule out legitimate activity. These days plenty of apps get installed, change files, the registry, talk to the Internet etc.
atom255  2009-05-07 22:46:13

related questions

How would you programmatically test a file for viruses ?
Where does an uploaded file in ASP.Net 2 go?
MOSS Anti-Virus
Lightweight Anti Virus
(anti-)virus preventing my apps from working?
Is there any Anti Virus product which provides a .Net (or COM) API?
Send files to Symantec AV Scan Engine from a C# Application
Should we run anti-virus software on our dedicated sql server?
ASP.NET Imagemap blocked by Kaspersky anti-virus software
Good free antivirus software for Windows 2003 / 2008
.NET/IIS friendly in-memory antivirus scanning
Activate a File Virus Scan from within Delphi app
Query antivirus definitions date?
Detecting Virus Scanners
How Does Security Software Prevent its Unauthorized Removal from System?
Virus scanners locking and deleting temporary files - best way to cope with them?
Anti virus integration with .net application
Visual Studio and Virus Scan of Temp folder
Server side virus scanning
Antivirus and file access conflict : good programming practices?
Find matching sequences in two binary files
Least intrusive antivirus software for development PC?
Techniques to detect Polymorphic and Metamorphic viruses?
ensuring uploaded files are safe
C# application detected as a virus