23 October 2009

Malware Detection - The Simplest Thing That Could Possibly Work

I'm sure most of you already know how the FreeFixer application works: It scans many locations on your Windows machine, such as the browser plugins, processes and services that are installed on your system. In its current state, FreeFixer does not have much knowledge whether a file is good or bad: It greenlists files from trusted software vendors and hides critical system files completely from the scan result. The remaining files appears in the scan result, neither listed as good, nor as bad. It's the responsibility of the user to figure out, with the help of the other FreeFixer users and the FreeFixer file library, if a file should be considered safe or if it should be removed.

Screenshot of FreeFixer's scan result where the koobface file ld14.exe goes undetected.

This is how FreeFixer is designed to work, but admittedly, it's not easy for an inexperienced user to figure out which of the files in the scan result, if any, that should be selected for removal.

Many FreeFixer users have contacted me and suggested that FreeFixer should also detect and display malware files in red like most of the other anti-spyware and anti-virus tools do. And the suggestion makes perfect sense: It would be great to combine malware detection with the manual inspection and removal features. It would attract both beginners and experienced users.

However, I've always said no to this feature request, since it already requires lots of work to add new scan locations, supporting even more platforms than those supported today and working on the FreeFixer.com web site. Adding an additional task of analyzing lots of malware and creating malware definitions would probably result in crappy FreeFixer program with a crappy malware detection list.

Do you want to create malware definitions for FreeFixer?

I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm.

I'll link to your definition file from FreeFixer.com. FreeFixer users downloads your .xml file. Now the malware files get flagged in their scan results. The detection name that you gave the file appears and if users click on it they will be linked to your web site where you can explain more about the threat. You get credit for your work.

I've created a tiny example how to build the malware-definitions. I think you'll understand the concept by looking directly into the .xml file:

http://www.freefixer.com/static/freefixer-demo-defs.xml

Put this file in c:\Program Files\FreeFixer\definitions\ and FreeFixer will detect some variants of the Koobface worm. The Koobface files will appear in red in the scan result.

Screenshot of FreeFixer's scan result where the koobface file ld14.exe is detected.

If there's interest in building malware definitions for FreeFixer I'll keep on adding detection features. Some of the features that would be nice is SHA256 and MD5 detection, detection based on various parts of a file, detection of registry keys, values and data, memory scanning, signed xml-files, automatic updates, etc. You name it.

Anyone interested?

Comments

Nyoman writes

-2 thumbs

Actually, with this method the scanner won't detected many viruses - most (modern) viruses can use other file names/locations, decrypt themselves etc. IMHO your scanner will not be as good as one of the "professional" ones.

So, why just not put a link behind the result that the user can send the file to virustoal.com?

# 24 Oct 2009, 1:14

Roger Karlsson writes

0 thumbs

@Nyoman: Yes, it is correct that malware often use random file names. The idea is to start out with something really simple, and add more advanced detection techniques if the definition files becomes popular.

Great idea with VirusTotal. It would be great with a link in the scan that automatically post the file to their scanners. I'll talk to them.

# 24 Oct 2009, 2:32

Fred de Vries writes

2 thumbs

Maybe you could start by adding detection for conficker or gumblar. If detected the program could advise users to run a very good anti-virus scan.

# 31 Oct 2009, 3:58

Roger Karlsson writes

0 thumbs

@Fred: Detecting Conficker and Gumblar sound like a nice feature. However, I'm not planning to build any definition files myself (except tiny examples like freefixer-demo-defs.xml), but rather provide a framework which allows FreeFixer users to build their own definition files and share them with other users.

# 3 Nov 2009, 0:17

FileGets writes

0 thumbs

Cool idea and nice realization.
Our team <a href="http://filegets.com/info/freefixer.html">researched and awarded FreeFixer</a>. Good job!

# 5 Nov 2009, 11:45

bolzano_1989 writes

-2 thumbs

I and my friends at CMCLab Support forum are very interested in this feature of your FreeFixer program .
Maybe I could give you some suggestions :) .

# 15 May 2010, 5:55

Roger Karlsson writes

-1 thumb

@Bolzano: Happy to hear you like this FreeFixer feature. Please let me know what suggestions you had in mind. You find my contact info here:

http://www.freefixer.com/contact.html

# 16 May 2010, 11:51

Leave a reply