funsec mailing list archives
Re: Question about Viruses
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Fri, 7 Jul 2006 13:57:08 -0400
On 7/7/06, <...> <massimo () grandmedia si> wrote:
did you REALLY read what you wrote before hitting return? if you get identified as "another" virus means you ARE identified :-( if you are identified you GO TO JAIL without collecting the money ;-) default action: remove/disinfect backup action: quarantine
I was thinking more along the lines of since most AV still tries to disinfect/clean a file, rather than assume it is a whole virus, that a programmer could insert the recognized code with the unrecognized code attached, the program would report the file being cleaned and everything is back to normal. If this is stupid, please let me know, as I am not a programmer and not sure if this is how things work. This way the engine wouldnt submit the new virus to the parent company for developers to figure out a removal procedure. Like I said, I am not a coder (yet, I am trying to learn in my spare time), so lemme know if this is completely incorrect. I only thought this might be the case as I encountered a virus that was detected as one thing, but was showing infection methods and files not associated with it as well as not performing its stated objective (eg: putting links in favorites for pr0n) -JP<who sometimes thinks before hitting "send">
you're dead or in jail..... ----- Original Message ----- From: "Dude VanWinkle" <dudevanwinkle () gmail com> To: "FunSec LList" <funsec () linuxbox org> Sent: Friday, July 07, 2006 5:11 PM Subject: [funsec] Question about Viruses > Has anyone heard of a virus masquerading as another virus in order to > avoid detection. > > Well you wouldnt be avoiding detection per se, just avoiding correct > identification. > > How hard would it be to throw a signature for, let say > troj_stargpag.qy in your app that was really a (insert favorite/least > favorite virus here) > > -JP > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Overloading AV software, try #2, (continued)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- Re: Overloading AV software, try #2 Peter Kosinar (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- Re: Overloading AV software, try #2 Drsolly (Jul 08)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Peter Kosinar (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses Dude VanWinkle (Jul 07)