PatternOptimizer Howto
The PatternOptimizer optimizes the search point of patterns by first
calculating byte sequence frequencies from a test file and then
choosing points with the lowes frequency to reduce the number of hits
while scanning.
Necessary software
You need an installed Java 2 Runtime Environment, Standard Edition
(JRE) . Every JRE >= 1.2 should be fine, but I just tested it with
1.4.2.
You can get it from Sun at http://www.java.com/.
Usage
You have to tell PatternOptimizer which test file and which pattern
file to use. To generate a test file, simply concatenate a number of
files together:
cat /bin/* /sbin/* /usr/bin/* /usr/sbin/* /lib/* /usr/lib/* > test.bin
Then optimize a given pattern file by running
java -jar PatternOptimizer.jar test.bin virus.db > virus.strings
Pattern files
The pattern files consist of several lines, each containing a single
signature. The format of the signature is
<Malware name>=<pattern>
The <Malware name> may be an arbitrary string, but may not
contain '=', '[', ']'. Something like 'Worm/CodeRed.2' is perfect. This
pseudo BNF gives the syntax:
hex-digit = one of '0-9, a-f'
hex-byte = <hex-digit><hex-digit>
wildcard = ??
byte = <hex-byte> | <wildcard>
single-pattern = <byte> | <single-pattern> <byte>
multi-pattern = <single-pattern> '*' <single-pattern>
pattern = <single-pattern> | <multi-pattern>
The first restriction is, that each <single-pattern> must contain
a sequence of at least two consecutive <hex-byte>. The more bytes
are in there - especially the first <single-pattern> of a
<multi-pattern> - the faster the scan engine is. The second
restriction is, that a <single-pattern> may not start or end with
a wildcard (this does not make sense either).
Examples
Gen.12 Tricks-A2=BE640231944201D1C24E79F7
W32.MyLife.E (Clam)=7A6172793230*40656D61696C2E636F6D
W32.Hybris.C (Clam)=4000??????????????????????????83??????75F2E9????FFFF00000000
1992 (Clam)=E9E60051BB??018A2F322E0301882F4381FB??047EF159C3BA0001*B440CD2153
$Id: PatternOptimizer-Howto.html,v 1.1 2004/05/30 01:43:26 kurti Exp $