Tuesday, January 22, 2008

So interesting

As I have mentioned before, I have been hanging in #clamav on freenode for the past month or so as well as the clamav-users mailing list and I must tell you, I am more and more interested in all things viruses everyday. I was checking out the source to MyDoom.A today just to see how it ticks (I had run across it today at work, as well as a very interesting one that I will talk about in a minute). It uses the ROT13 "encryption" within the source code so that the files it infects aren't in plain site within a hex editor or otherwise. ROT13 means "rotate 13" (n = a, o = b, etc...). Not very secure, but for all intents and purposes, it has the obfuscation down pretty well. It is amazing how simple you can make these things and trick the antivirus programs out there.

Anyway, on the same hard drive (the computer is a Sony Vaio), ClamAV detected some trojans within one of the programs that Sony installs by default. When I noticed this, I tried to find a description of it online, but no dice. Trojan.Jesta was what it had found. I have emailed the mailing for a short description of the trojan to see if it is a false positive. Luckily, I run into a lot of things that help the ClamAV maintainers, such as virus samples, false positives, etc...

No comments:

Post a Comment