14) Send me a virus
Description
This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel gwenzel@telusplanet.net and Bruce Burrell bpb@umich.edu with numerous contributions by others.
14) Send me a virus
Anti-virus researchers don't usually share viruses with people
they can't trust. Pro-virus types are often unresponsive to
freeloaders. And why would you *trust* someone who's prepared
to mail you a virus, bona-fide or otherwise? [A high percentage
of the 'viruses' available over the internet are non-replicating
junk.]
Requests for viruses by people 'writing a new anti-virus utility'
are usually not taken too seriously.
* We get rather a lot of such requests, which leads to a certain amount
of cynicism.
* Writing a utility to detect a single virus is one thing: writing a
usable, stable, reasonably fast scanner which detects all known
viruses is a considerable undertaking. There are highly experienced
and qualified people working more or less full time on adding routines
to do this to antivirus packages which are already mature, and unless
you have a distinctly novel approach, you don't have much chance of
keeping up with them.
* It may be that the research you're interested in has already been done.
Say what sort of information you're looking for, and someone may be able
to help.
* You can't afford to use junk 'viruses' for research, and the best
collections are largely in the hands of people who won't allow
access to them to anyone without cast-iron credentials.
If you want to test anti-virus software with live viruses, this
is *not* the way to get good virus samples.
Valid testing of antivirus software requires a lot of time, care
and thought and a valid virus test-set. Virus simulators are
unhelpful in this context: a scanner which reports a virus when it
finds one of these is actually false-alarming, which isn't
necessarily what you want from a scanner.
Read Vesselin Bontchev's paper on maintaining a virus library:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
There have been one or two requests for source code. Assuming you have
the necessary knowledge of programming (especially x86 assembler) and the
PC, this is probably the wrong approach, unless you're a serious
antivirus researcher (in which case you need to sell yourself to the
antivirus research community, and asking for viruses here isn't the
way to earn their trust).
* How can you trust any source code you're sent? Antivirus researchers won't
send it to you, so you have to rely on the goodwill of a virus writer
or distributor: not always a good idea. Many so-called viruses picked up
from CDs, VX websites etc. aren't viruses at all.
* Are you going to examine all known viruses? Or all those listed in
the current WildList? If not, what are your selection criteria going to
be? How will you tell an insignificant variant from a completely different
virus type?
Your first task is to understand the general principles, and you won't get
those from snippets of code. If you still need low-level analysis
afterwards,
you might like to try
http://www.virusbtn.com/VirusInformation/
where you can find analyses (without source code) of a number of common
viruses, analysed by experts.
Continue to:
My Books
