23
2.7.1 The Black Antivirus
“The Black Antivirus” name comes in a similar way as WhiteHat and BlackHat, a
(white) antivirus used for the good purposes. Black Antivirus is the same
antivirus, but used for the “bad” purposes.
Today’s antivirus software evolved to complex and powerful security tool. With
the help of a good virus definition database, the antivirus program will stop
almost every known malicious program.
An unexpected problem may occur when the co-called “virus definition
database” has the definitions for not only the antivirus programs, but the
definitions for security tools used today in the computer security world to
defend and protect computer systems.
The problem is not spreading the "bad" signature definition file to antivirus
programs, but in malware, that includes antivirus engine and signature definition
files for security tools.
Our “weapons” could be turned against us and I am not sure that we are
prepared for this…
I suppose that you got the idea, let’s see the implementation example:
For this test, I downloaded the “F-Secure BlackLight” Rootkit elimination tool [10].
This tool can find a sophisticated virus (rootkit) that hides in system and even
invisible for traditional antivirus programs.
Next, we need to choose an antivirus technology that will defend malware (by
detecting and stopping antivirus and other “unwanted” tools). For the simplicity
and availability, I choose ClamWin antivirus [11]. Please note, that theoretically
any antivirus can be misused in such way.
Now we create the signature for the BlackLight anti-rootkit tool. The signature will
be the MD5 hash, but the sigtool.exe from the ClamWin package can create
signatures that are more “serious” then just hash, we just don’t need it in our test
and probably won’t need it in the future. (Do you know security tool that changes
itself?)
Now let’s create the MD5 hash:
C:\Program Files\ClamWin\bin>sigtool.exe --md5 blbeta.exe > BlackLight.hdb
 |
 |
 |