Designing a scanner against: Virus, Botnets, Trojans and Worms

[NOTE: Performing any design for virus scanners or use of virus simulators should only be done on a VM disconnected from the network.]

This article is just a discussion about viruses, botnets, trojans and worms, and not a motivator to create any of these things.  I have become a little curious about the design of the scanners against viruses, etc.  so:

Rule 1: Use one of the professionally designed Anti-Virus tools, do not attempt to make your own scanner for daily use

Rule 2:: If you choose to use your own scanner do not use it on computers with financial information on them

How do you get started writing a scanner, and here is why I like the idea of building a scanner, you will either need a real virus or malware, a very bad idea, or you will need a pattern generator, one of the recommended ones is found at:

Important note

EICAR cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer. YOU DOWNLOAD THESE FILES AT YOUR OWN RISK. Download these files only if you are sufficiently secure in the usage of your AV scanner. EICAR cannot and will not provide any help to remove these files from your computer. Please contact the manufacturer/vendor of your AV scanner to seek such help.

In my case, I do not download that file and use it, EXCEPT on a machine that is running as a VM and is off the network.

Then, a good article that shows you how to build a virus scanner is shown at this link (I have not tested the code): (uses VS 2008, but should upgrade to VS 2010 easily)

Using both of these on a VM running in an isolated space can help you understand a number of computer science ideas.  Now that all of the O/S out there are having to deal with security, if this is interesting to you, there are a large number of well paying jobs.  These jobs expect you to be able to do code, understand the management of large systems and how to deal with emerging security threats. 

As to the latter you can’t do that without examining the actual threats in a protected environment.  Again, only on a Virtual Machine that is disconnected from the network.