Virus signature checksum risks

The notion of virus signatures is very easy for laymen to grasp if they stick to this analogy: anti-virus solutions detecting malware trying to pass itself as an innocuous program by slightly changing its signature can be compared with a person noticing that a particular signature has a name he doesn’t recognize, but has a handwriting style that he has seen before.

Unfortunately, there are always ways around it, and malware authors have made a science out of avoiding detection. One of the many things that a good virus analyst should be capable of is deciding whether he or she should write a checksum detection on the file.

SophosLabs gives an example of how an application can thwart automated checksums. Most people aren’t aware that, for example, a simple change in the colors of an icon can produce different checksums (if the checksum detection was based on icon information) and make – for all intent and purpose – two distinct pieces of malware:

Will the one virus signature be enough for the whole family of malware or will it require a whole new set of signatures? This is just one of the simplest tricks that can be used, and it is the analyst’s job to know and decide.