Security Incidents mailing list archives

Re: The sky is falling, or so I am told.

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Wed, 1 Aug 2001 08:58:10 +1200

Pluto <pluto () stderr de> wrote:

  has someone tried to change the date on an infected system to see if he
realy starts again?


Indeed, people have done this, but there are gotchas because of the 
various *different* sleep states that threads go into in different 
parts of the code.  Unwary "testing" of this kind can easily lead to 
the wrong answer, as it alreay has for several high-profile security 
experts and I'm sure is at least part of the cause for why some 
experts say "the worm can wake up -- we have seen it in the lab" and 
why other experts are saying "in-depth code analysis *and* our tests 
show the worm does not re-awaken 'naturally'".


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

The sky is falling, or so I am told. Alfred Huger (Jul 30)
- Re: The sky is falling, or so I am told. Wichert Akkerman (Jul 30)
- Re: The sky is falling, or so I am told. Pluto (Jul 31)
  - Re: The sky is falling, or so I am told. Nick FitzGerald (Jul 31)
- <Possible follow-ups>
- Re: The sky is falling, or so I am told. Wayne Conrad (Jul 30)