Dailydave mailing list archives
RE: Self updating worms?
From: "Jonathan Wilkins" <jwilkins () microsoft com>
Date: Thu, 9 Sep 2004 14:04:37 -0700
The point is that the author wouldn't be doing the updating personally. The worm would update automatically based on it's ability to extract new exploit vectors from *other* worms/exploits that it was able to see while sniffing whatever network it found itself on. (Obviously this would be limited to exploits/worms that were generated using some language/product that the original author had written an extractor for) This is a fire and forget type worm that would be able to propogate very slowly without the penalties that usually apply to slow moving worms. Releasing multiple variants increases the chances of the author being discovered with every new release. I'm not suggesting it as a retail product, just as a potentially neat idea. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Thursday, September 09, 2004 1:29 PM To: Anton A. Chuvakin Cc: Kohlenberg, Toby; dailydave () lists immunitysec com Subject: RE: [Dailydave] Self updating worms? On Thu, 2004-09-09 at 16:18, Anton A. Chuvakin wrote:
Frankly, I'm surprised this hasn't already been implemented many times over...I'd buy what Gadi Evron said over that. Why update a worm leaving a trail if you can make a new one? Resilient and untraceable worm update
mechanism is a cool idea, but there might be no business case for it :-) in the realm of retail worms. Now, if you are talking custom stuff
... who knows. I think the business case is there. Immunity has a lot of research (see Advanced Ordnance slides) going into multi-headed worms and transports and such. Not all hosts vulnerable to your new exploit are reachable from other hosts vulnerable to your new exploit - you want to just feed the exploit into the mill and see what comes out. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- <Possible follow-ups>
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
- Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
- Re: Self updating worms? robert (Sep 13)