Wow - What a good thread - Virus Scanning Engine Flaw

[James H Moore <jhmfa () RIT EDU>]

What a good thread on the rainbow crack online.  I had my questions
answered there.

So back to the issue that started me writing.  I have been looking at
Sana Security for network managed anti-spyware.  It might also be able
to be part of a defense in depth strategy for when people kit the
technique described in the article below, and then start mining the
archives of successful virus and worm code to integrate it with the kit.
I gave a heads-up to my management that we may need to go defense in
depth with virus/worm protection, and I was about to call some of the
lead systems admins together to plan for what that would take.  But I
decided that it would be better to ask if others saw the same potential 

http://security.ithub.com/article/Virus+Scanners+Made+Moot+by+New+Exploi
t/164278_1.aspx
<http://security.ithub.com/article/Virus+Scanners+Made+Moot+by+New+Explo
it/164278_1.aspx> 

 

Describes a flaw in the design of most virus scanning engines.   Most
virus scanning engines assume that worms or viruses will play fair in
writing the file.  The technique shows how to not play fair in terms of
the file headers and offsets.

 

Is anyone else addressing this?  How?

- - - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 475-4122 (lab)
(585) 475-7950 (fax)

"We will have a chance when we are as efficient at communicating
information security best practices, as hackers and criminals are at
sharing attack information"  - Peter Presidio