Old threats included in new signatures

[Dangermouse 5]

Why are threats that have already been included in old signature files being added to new signature files ?

 

[Marcos 5,074]

I'm sorry but I don't understand your question. Basically a signature is added just once. I can't imagine re-adding millions of signatures each time; in such case you'd need to download > 30 MB with each update.

[Dangermouse 5]

OK, here is an example

 

hxxp://www.virusradar.com/en/update/info/14565   contains a signature for 

Win32/Autoit.IV

 

but clicking on the link from the list of update 14565 shows

 

Category worm Detection created May 16, 2013 Signature database version

9534

 

 

Win32/Autoit.IV [Threat Name]

Detection created 2013-05-16 World activity peak 2016-03-05 (0.07 %)

 

Clicking on the link for update 9534 shows the same threat, and the same variant

 

In fact, this threat is also listed in another recent signature file hxxp://www.virusradar.com/en/update/info/14559

 

Edited December 8, 2016 by Dangermouse

[Marcos 5,074]

Detection for variants of the Autoit.IV worm were added on the following days:
16.5.2013 30.6.2013 30.7.2013 19.9.2013 5.10.2013 17.10.2013 18.10.2013 5.11.2013 25.11.2013 9.12.2013 13.1.2014 30.1.2014 26.2.2014 5.3.2014 6.3.2014 12.3.2014 20.3.2014 26.3.2014 3.4.2014 9.4.2014 26.5.2014 3.6.2014 11.6.2014 23.6.2014 24.6.2014 15.7.2014 29.7.2014 4.8.2014 29.8.2014 8.9.2014 9.9.2014 16.9.2014 30.9.2014 16.10.2014 22.10.2014 30.10.2014 6.11.2014 14.11.2014 24.11.2014 24.12.2014 7.1.2015 14.1.2015 25.2.2015 3.3.2015 6.3.2015 24.3.2015 30.3.2015 7.4.2015 24.4.2015 25.4.2015 28.4.2015 7.5.2015 8.5.2015 11.5.2015 12.5.2015 13.5.2015 19.5.2015 20.5.2015 21.5.2015 22.5.2015 23.5.2015 25.5.2015 29.5.2015 1.6.2015 2.6.2015 4.6.2015 5.6.2015 8.6.2015 10.6.2015 11.6.2015 12.6.2015 15.6.2015 17.6.2015 18.6.2015 22.6.2015 23.6.2015 24.6.2015 26.6.2015 29.6.2015 30.6.2015 2.7.2015 7.7.2015 13.7.2015 17.7.2015 27.8.2015 7.9.2015 8.9.2015 9.9.2015 6.10.2015 26.10.2015 2.11.2015 4.11.2015 9.11.2015 10.11.2015 12.11.2015 14.12.2015 15.12.2015 11.1.2016 18.1.2016 15.2.2016 24.2.2016 3.3.2016 17.3.2016 18.3.2016 21.3.2016 22.4.2016 9.5.2016 12.5.2016 14.5.2016 8.6.2016 16.6.2016 8.7.2016 23.8.2016 11.10.2016 21.10.2016 24.10.2016 22.11.2016 28.11.2016 6.12.2016 7.12.2016

[Dangermouse 5]

Thanks for the wall of text.

 

Do I infer from it that the descriptions in the signature files don't necessarily detail all of the variants, even though the example I gave is listed as a specific variant ? i.e., some of the 'variants' listed in the signature file descriptions are generic umbrella terms for minor variations ?

[Marcos 5,074]

That's correct. For instance, if there are more components of a malware or if there are very little differences between variants they may be detected under the very same name.