Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Show me the Virrii!

From: "John LaCour" <jlacour () zonelabs com>
Date: Tue, 6 Jan 2004 12:47:13 -0800

The NSRL has several issues that limit its usefulness.

1) The file signatures are scanned from the media, not from
   systems upon which they've been installed.  This means
   it doesn't include the files inside .ZIP or .CAB files
   for example.

2) Many executables actually change when they're installed
   on to a system in ways unique to the system that they're
   installed on.  To address this, we've written our own
   hashing algorithm which ignores sections of the executable
   which are likely to change during the installation process.

3) The list of programs and applications in the NSRL appears to
   be relatively random and mostly consists of programs
   which were donated to the NIST for this purpose.

In short, we found the NSRL to be of limited usefulness for the
purpose of authenticating popular enterprise software on installed
systems.

-John

-----Original Message-----
From: Elsner, Donald, ALABS [mailto:elsner () att com] 
Sent: Tuesday, January 06, 2004 11:59 AM
To: Donze, Erich; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Show me the Virrii!




-----Original Message-----

I like the idea of scanning for valid software.  There are some problems
with it that would need to be overcome, though:

1.  Who makes the list, and keeps it updated?  This would be a huge
undertaking. 

------------------- snip -----------------------------------
The U.S. Government is already doing this......  Please see
        
National Software Reference Library (NSRL)
(http://www.nsrl.nist.gov)

Overview: The National Software Reference Library (NSRL) provides a
repository of known software, file profiles, and file signatures for use
by law enforcement and other organizations in computer forensics
investigations. Industry Need Addressed: Investigation of computer files
requires a tremendous effort to review individual files. A typical
desktop computer contains between 10,000 and 100,000 files, each of
which may need to be reviewed. Investigators need to eliminate as many
known files as possible from having to be reviewed. An automated filter
program can screen these files for specific profiles and signatures. If
a specific file's profile and signature match the database of known
files, then the file can be eliminated from review as a known file. Only
those files that do not match would be subject to further investigation.
In addition, investigators can search for files that are not what they
claim to be (e.g., the file has the same name, size, and date of a
common file, but not the same contents) or files that match a profile
(e.g., hacking tools).



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: