Dustin Cook wrote:

>Andy Walker <awalker@nspank.invalid> wrote in news:46b3eafd.12865171
>@news.webtv.com:
>
>> Dustin Cook wrote:
>>
>>> If you have any questions, I will
>>>monitor this thread; you may respond here or in email.
>>
>> Ok, say I'm a malware writer and want to evade your program. It seems
>> to me that all I have to do is pad a few kilobytes of garbage into my
>> program and randomly modify the size every now an then. I could evade
>> your program for a very long time under that scenario. Is that
>> correct?
>>
>
>That's correct. That's exactly why we can't detect them all. Thousands upon
>thousands of similiar varients, all written in HLL languages, so you have
>to be very careful in IDing them.
>
>It's not a flaw alone to BugHunter per say, thats the same tricks used to
>evade virus scanners too.

I understand what your saying, but some scanners take into account
other metrics like the existence of certain registry keys, or even the
structure of supporting files used as databases for the malware. A
complete deconstruction of the offending malware *could* produce
enough information to snare all its variants. Heh! but then who's got
the time... ;-)