Re: Self updating worms?

[Dave Aitel <dave () immunitysec com>]

Well, we can also think small. For example a worm could try to
self-infect with a newly received exploit. If self infect succeeded,
then exploit knowledge base reliablility ++, else it can run
autosploit.py with the included script to see what went wrong and try to
get a new target value or otherwise fix the exploit (we call these
exploit fingerprints, but whatever).

This stuff is doable today. Tomorrow, maybe bigger things, like fuzzing
new services to find bugs, and then writing the exploits and sending the
reports back :>.

-dave



On Thu, 2004-09-09 at 18:25, Gadi Evron wrote:
> Jonathan Wilkins wrote:
>
> > The point is that the author wouldn't be doing the updating personally.
> > The worm would update automatically based on it's ability to extract new
> > exploit vectors from *other* worms/exploits that it was able to see
> > while 
>
> Right, and I'm an AI capable of reversing using IDA Pro and detecting 
> protocol anomalies with no false positives/negatives using Ethereal. 
> Wait till the guys at datarescue hear about me.
>
> > sniffing whatever network it found itself on.  (Obviously this would be
> > limited to exploits/worms that were generated using some
> > language/product
> > that the original author had written an extractor for)
>
> I was being cynical above (sorry if the bad joke came out wrong). I can 
> see how this could work, especially with so much freely available 
> malware source available.
> However, I personally believe that although it might have it's 
> applications, it would never really work due to practicality. What do I 
> do, add more functionality for an engine that might or might not work 
> (depending on availability of previous && correct infections)? or 
> perhaps add more functionality for the existing "creation"? Remember.. 
> the size of the sample is everything.
>
> Virus creation kits exist.. what you suggest is a next-level language 
> built on top of a current high-level one (or whatevah?). I forgot the 
> term for it, but it's either a library (.h, .dll, .whatever) or a higher 
> level language much like some people try and create academically, to 
> make coding easier on people. Sorry for being thick on words, I forgot 
> the term.
>
> Either way, and although your idea fascinates me - I don't see it 
> happening and refuse to discuss it further here.
>
> I believe you have the right idea but the wrong concept. How about 
> polymorphic engines and code generators? Biology, genes.. gotta hate it. 
> There is a ton of material on these subjects online.
>
> > This is a fire and forget type worm that would be able to propogate
> > very slowly without the penalties that usually apply to slow moving
> > worms.
>
> How do you figure that?
>
> > Releasing multiple variants increases the chances of the author being 
> > discovered with every new release.
>
> That depends on the author, now, doesn't it?
>
> > I'm not suggesting it as a retail product, just as a potentially neat
> > idea.
>
> I was willing to hear you out, and I like the way you think.. but no 
> virus is a "neat" idea. Sorry.
> Anyway, should we discuss ways of making viruses better? I think not, 
> but that's just me and that is why I will withdraw from this line of 
> conversation from here on.
>
> Buddy, I am not trying to bust your bones and as I said.. I believe you 
> raise valid points.. but I don't like where this is heading.
> </preaching>
>
>       Gadi Evron.
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://www.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave