23 October 2009

Malware Detection - The Simplest Thing That Could Possibly Work

by Roger Karlsson

I'm sure most of you already know how the FreeFixer application works: It scans many locations on your Windows machine, such as the browser plugins, processes and services that are installed on your system. In its current state, FreeFixer does not have much knowledge whether a file is good or bad: It greenlists files from trusted software vendors and hides critical system files completely from the scan result. The remaining files appears in the scan result, neither listed as good, nor as bad. It's the responsibility of the user to figure out, with the help of the other FreeFixer users and the FreeFixer file library, if a file should be considered safe or if it should be removed.

This is how FreeFixer is designed to work, but admittedly, it's not easy for an inexperienced user to figure out which of the files in the scan result, if any, that should be selected for removal.

Many FreeFixer users have contacted me and suggested that FreeFixer should also detect and display malware files in red like most of the other anti-spyware and anti-virus tools do. And the suggestion makes perfect sense: It would be great to combine malware detection with the manual inspection and removal features. It would attract both beginners and experienced users.

However, I've always said no to this feature request, since it already requires lots of work to add new scan locations, supporting even more platforms than those supported today and working on the FreeFixer.com web site. Adding an additional task of analyzing lots of malware and creating malware definitions would probably result in crappy FreeFixer program with a crappy malware detection list.

Do you want to create malware definitions for FreeFixer?

I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm.

I'll link to your definition file from FreeFixer.com. FreeFixer users downloads your .xml file. Now the malware files get flagged in their scan results. The detection name that you gave the file appears and if users click on it they will be linked to your web site where you can explain more about the threat. You get credit for your work.

I've created a tiny example how to build the malware-definitions. I think you'll understand the concept by looking directly into the .xml file:

http://www.freefixer.com/static/freefixer-demo-defs.xml

Put this file in c:\Program Files\FreeFixer\definitions\ and FreeFixer will detect some variants of the Koobface worm. The Koobface files will appear in red in the scan result.

If there's interest in building malware definitions for FreeFixer I'll keep on adding detection features. Some of the features that would be nice is SHA256 and MD5 detection, detection based on various parts of a file, detection of registry keys, values and data, memory scanning, signed xml-files, automatic updates, etc. You name it.

Anyone interested?

Comments

Leave a reply

Your nickname (required):

Just to make sure you are human and not a spam bot, please answer the following question: How many eyes does a cat have? (required):

Your comment: