top | item 15846172

(no title)

lqdc13 | 8 years ago

The reason simple hello world apps are marked as malware by AI-based engines is that small programs tend to be malware. There are probably close to no hello world programs in their dataset.

The problem is that to be a "good" program, yours has to do something other "good" programs do. And there aren't that many of those that use different software development paradigms (not different versions of the same one). So new different programs tend to be marked as malware.

This also brings up a very easy way to circumvent such AVs. Simply modify an existing goodware program and it will be marked as goodware. Add some obfuscation/polymorphism and it would be virtually impossible to detect such malware using static analysis/AI-based AVs.

discuss

cortesoft|8 years ago

Is there really malware that is as small as a hello world program?

lqdc13|8 years ago

Yes, because they try to strip the binaries as much as possible so that the file size is smaller. If you compile a regular "hello_world.c" with gcc -O3, the size is 8 kb. You can def make a malware that is way smaller that does something simple like change some registry value to some uri.

Average size for malware is ~100kb-200kb btw. This is way smaller than almost any software besides some console games.

jstarfish|8 years ago

Lots of malicious Office macros and Javascript redirects come to mind. Less than 100K (minus the container) in most cases.