On Tue, 25 May 2010 00:20:06 +0200 Sarocet <saro...@gmail.com> wrote: > Tomasz Kojm wrote: >> These are poor examples, which are almost identical (only 6 bytes >> differ). Now, take a notepad.exe and create a malicious file with the >> same file size and MD5. >> >> Thanks, >> > > Read again the scenario. > Both files are created by the attacker. When the AV marks as clean the > first one,
This scenario makes no much sense to me. First of all, as I wrote in the previous email the files you provided as example are almost identical (they only differ in high nibbles of six bytes) and they share the same "payload", this means that both of them should be detected by the AV as malicious (in this case even using a single MD5 signature!). Due to the nature of MD5 weaknesses it's pretty much impossible to create a working malicious file that would have the same MD5 as, let's say notepad.exe. -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue May 25 10:58:38 CEST 2010 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
