Virus signature extraction form malware [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I'm writing a simple antivirus in C. I've got some malware samples and I want to extract signatures form them. Any idea how to extract them?

Answer 1

Retrieving a "signature" could be as simple as generating a digital signature via hashing for the virus(es) respective binaries. MD5 or SHA. I.E. implementing the following functionality in your code that I'm sure you've already started...:

md5sum virus -> md5hashofvirus | md5sum virus2 -> md5hashofvirus2

Complete dossier of md5sum available here.

MD5 implementation in C available here.

However any modification to the file would render this method of detection useless (albeit that's the end goal of encrypting a virus). An actual "virus signature" that modern AV's use is

"any sequence of bits that can be used to accurately identify the presence of a particular virus in a given file or range of memory."

As that level of analysis makes it a bit harder for malware manufacturers to hide the "identity" of the malware.

• www.agusblog.com/wordpress/what-is-a-virus-signature-are-they-still-used-3.htm is something that I feel you should read.
• www.labri.fr/perso/ly/publications/viro.pdf if you're looking for something a little more indepth.

If you'd like more information, try sharing a bit more yourself.