What criteria does an antivirus use to detect a program as a virus?

Antivirus programs search a virus executable for a known piece of code or some other sort of signature that uniquely identifies it. Exactly how a virus is identified depends upon how the antivirus was made. The "signatures" or "definitions" you download just about every day is a database containing these identifications.

A virus isn't known and removable until it has already been released, hit some computers, and either submitted to or caught by Antivirus companies who add an ID for the virus to their database and release an update. To combat new viruses that are unknown, what's called a heuristic scan may be performed.

A heuristic scan picks apart an executable and searches for patterns commonly found in viruses, such as disabling parts of Windows, raising a fake error when something is opened, etc. Most viruses (in this case I am talking about extremely common 'rouge antiviruses') are just cheap copies of earlier ones. Several are identical to one another other than a slightly different GUI, name, and possibly hiding techniques. You can see how this actually works well! If a program is flagged by heuristics it is usually flagged as "Suspicious" as the antivirus doesn't really know if it is a threat or not.

Anyway, It depends on exactly what you are doing in the background. If you're accessing the internet in any way, it'll probably respond by asking the user to allow the program through the firewall. (assuming the antivirus has one, it SHOULD if it's worth anything) Other than that I very highly doubt that an application you developed will have any problems with antivirus applications unless a section of its compiled code just so happens to match that of a virus, which again is VERY VERY unlikely unless you're doing something odd that you shouldn't be doing...:|

So yes, it is generally safe to assume it won't be flagged now or ever. Is that enough reading for ya? ;)

If you want to be absolutely sure, I remember a website I saw a long time ago that scanned a file that you uploaded to them with a lot of major antivirus programs. But I can't seem to find it!

EDIT: Here it is!
http://virscan.org/

There is more than one of those websites.

So yes, it is generally safe to assume it won't be flagged now or ever. Is that enough reading for ya?

Yep :D

I wrote a trojan not that long ago that wasn't detected by my antivirus. It did incredibly suspicous stuff too, like sending a list of running procs over TCP or UDP to a listener, running procs, accepting commands to run in the command-line, remote shutdown/restart, send clipboard data back and forth, inject code into running procs to intercept windows messages (keystrokes, mouse info, etc) it even had a little vnc pluging for complete remote control. I guess nothing in it exactly replicated any other virus out there, or AVG just sucks.

I wrote a trojan not that long ago that wasn't detected by my antivirus. It did incredibly suspicous stuff too, like sending a list of running procs over TCP or UDP to a listener, running procs, accepting commands to run in the command-line, remote shutdown/restart, send clipboard data back and forth, inject code into running procs to intercept windows messages (keystrokes, mouse info, etc) it even had a little vnc pluging for complete remote control. I guess nothing in it exactly replicated any other virus out there, or AVG just sucks.

Did you use it on the machine you developed it on? You can also "sign" .NET apps somehow, I forget what info it includes. How did you incorporate the plugin system?

What kind of client/server model did you use, I'm only familiar with the basic idea of a client connecting to a listening server. Does the "host/victim" require open ports, i.e., does it run a server or do you exchange info through something like IRC and make the host connect to your end? What VNC lib did you use, and what programming language(s) did you use?

I wrote a trojan not that long ago that wasn't detected by my antivirus. It did incredibly suspicous stuff too, like sending a list of running procs over TCP or UDP to a listener, running procs, accepting commands to run in the command-line, remote shutdown/restart, send clipboard data back and forth, inject code into running procs to intercept windows messages (keystrokes, mouse info, etc) it even had a little vnc pluging for complete remote control. I guess nothing in it exactly replicated any other virus out there, or AVG just sucks.

This stuff isn't really necessarily suspicious per se, except for opening ports, etc. Windows Firewall, by default, should prompt you to allow that communication out or not.

Basically, the "code signatures" are actual bytecode signatures that other viruses have been detected with-- you might have included a shared library from a virus, and used those functions. THEN the AV app would detect a potential problem.

This stuff isn't really necessarily suspicious per se, except for opening ports, etc. Windows Firewall, by default, should prompt you to allow that communication out or not.

Basically, the "code signatures" are actual bytecode signatures that other viruses have been detected with-- you might have included a shared library from a virus, and used those functions. THEN the AV app would detect a potential problem.

Windows firewall doesn't prompt to connect though, I've never had a prompt from a simple application connecting. I don't really know if it asks you about serving either, can anyone verify this for Vista/W7 ?

I used it on the development machine and on my work computer, and both my roomates computers. It only operates over a LAN, but could probably be tweaked to work over the internet. Basically the server broadcasts a heartbeat to the network over UDP, and if the trojan is running and hears the heartbeat it will connect via tcp to the server. This way there is no need to have an ip list on the server.

I just used the .dll that comes with vnc. It's really easy to use and is all open source. I wrote it all from scratch (except the vnc dll) so no known virus libraries would have been detected. It was never really intended to be malicious, I just wanted to write something to close my roomates' torrents when I was gaming since they hogged all the bandwidth. I figuired I might as well have some fun while writing it so added a bunch of malicious kinds of features to follow the go hard or go home philosophy.

*Edit: I wrote it all in C#

Did you incorporate a plugin system?

Did you incorporate a plugin system?

No. It wouldn't really be that hard though. It's a pretty simple program (under 500 lines)

Well what I'm really asking is how are plugin systems usually done? (The kind that allow users and third parties to add plugins)
What's a good way to do that?

An easy way to make plugins work is through interfaces. At work I wrote some code for our data acquisition system that allows it to use any API/driver dll for any data acquisition module such that it supported a certain interface. The interface requires that the dll has a GetAnalogToDigitalChannel() function that accepts a channel number and returns a value, a GetStatus() function that gets the device status, and a Initialize function (which can be empty). To load the plugin a file containing either the names or the address offsets of these functions is required. If the module's dll does not contain the proper implementation of these (for example it only contains a function that returns all channels rather than 1 at a time), a very small wrapper dll is required that forces this implementation (holds all the channels in an array and returns the one with the index provided in GetAnalogToDigitalChannel()). To get these function pointers I used a Native Win32 interop (I think it was Kernel32.dll but I could be wrong) containing the function LoadLibrary() and GetProcAddress()). Since I was using C# where pointers are taboo, I used delegates (the .Net equivalent of a function pointer)

This was my real world approach to the problem. I am sure there is some sort of API/method that can do this a better way but this method seemed intuitive to me. I learn something new about programming every day it seems, and I have been coding for 9 years, 2 of which being professionally.

I wrote a trojan not that long ago that wasn't detected by my antivirus. It did incredibly suspicous stuff too, like sending a list of running procs over TCP or UDP to a listener, running procs, accepting commands to run in the command-line, remote shutdown/restart, send clipboard data back and forth, inject code into running procs to intercept windows messages (keystrokes, mouse info, etc) it even had a little vnc pluging for complete remote control. I guess nothing in it exactly replicated any other virus out there, or AVG just sucks.

AVG just sucks lol. If You want a real antivirus program the is freeware i would suggest Avast. Defiantly one of the best I've tried

What do you mean by "broadcasts a heartbeat"?

What do you mean by "broadcasts a heartbeat"?

It's a UDP packet containing a single string. Something that uniquely identifies the program - I think it was 'TrojWakeup' or something. The term heartbeat is fairly common networking jargon meaning to broadcast something over a network that is replied to by the clients to let the broadcaster know who is on the network.

It is sent to 255.255.255.255 (broadcast address), although this method doesn't work in windows 7. In windows 7 you must know the subnet you are broadcasting on (ie 192.168.0.255 would work on a 192.168.0 subnet).