Re: MyDoom.b samples taken down

[Nick FitzGerald <nick () virus-l demon co uk>]

Kurt Weiske <kweiske () kataan org> wrote:

> > I know most of you will not believe this because you so stupid you 
> > already believe that live virus samples are _just_ information and 
> > therefore _should_ be subject to "full disclosure" (this is a special 
> > form of ignorance that very little empirical evidence seems able to 
> > budge 
>
> Before I make a judgement here, are you against publishing the virus in 
> executable form that could be accidentally launched, or against 
> publishing the virus in any form?

Both.

The problem is "publishing".

Because most users insist of relying on known virus scanning methods, 
rather than any of the sensible approaches to "protecting" their 
computers, publishing virus code in any form simply leads to more "new" 
viruses.  Most viruses are relatively minor "copy and tweak" variations 
on already existing ones, thus explaining a large chunk of whatever 
effectiveness you see in current heuristic and "generic" detection 
methods in use in popular known virus scanners, however, those 
approaches are far from perfect.  Thus, making more virus code 
available today will result in more new (i.e. "not initially detected") 
viruses which means "the virus problem" will continue.

If most folk actually used sensible code integrity mechanisms, I would 
not especially care about publication, as it would be irrelevant to the 
effect _on the user_.  (I would probably prefer that such code not be 
published as why focus on such negative things when there is so much 
good software development talent could be turned to, but those are 
different issues rising from different dynamics, and one we do not face 
today...)

> If the latter, then perhaps you might find other mailing lists with a 
> more sympathetic audience. If the former, after consideration, I agree. 
> Handling a live virus is akin to handling their real-world counterparts, 
> and having some protection against accidentally launching it on a 
> production system is a Good Thing. I've renamed mine to a non-executable 
>   extension, and they're off my production boxes.

You are clearly not aware that simply renaming to a "non-executable 
extension" may not be enough...

And, as for your suggestion that virus code "should" be acceptable to 
this list, I'll point out there has been nothing new in viruses since 
Fred Cohen wrote his thesis.  All actual "developments" we have seen 
implemented in viruses were foreshadowed in his theoretical work.  
Also, as a general pedagogical position, it is better to understand the 
underlying theory  and methods of a discipline rather than a few of its 
specifics.  We don't teach engineers how to build bridges by just 
sending them to study the Sydney Harbour Bridge, the Golden Gate Bridge 
and Tower Bridge.  We teach them the theories underlying the choice of 
design types, materials and processes and so on necessary to be able to 
design _any_ safe bridge.  Thus, knowledge of the specific is not that  
critical...  Well, unless your bridge falls down or you face an actual 
outbreak of the virus, and then we tend to rely on the acknowledged 
experts to provide the analysis and solution.

So, in a world where folk insist on relying on theoretically and 
practically inadequate measures to "protect" them from viruses, and 
where new viruses are thus trivially derived from existing ones, I 
strongly object to all publication of detailed virus code.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html