Thought some more...
I found out that there is an open source anti-virus engine that can have signatures dynamically uploaded...
http://www.clamav.net/
and then the chaps at ISC mentioned this...
http://nepenthes.sourceforge.net/
This should make those pesky bots a bit easier to counter.
One of the research docs on the nepenthes site gave me an idea... so I checked it is out, and blow me down... by analysing the entropy on these bots, one can easily see which EXEs were compressed as they had high entropy eg. low redundancy. The entropy was in the same order as a zip file, or most other compressed files, as one would expect.
0 Comments:
Post a Comment
<< Home