Vulnerability Development mailing list archives
Re: Another new worm???
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Wed, 21 Jun 2000 21:58:55 -0700
Obviously I have to drop this thread relatively quickly... I'm surprised that it has stayed relatively civil even this long. :) My thanks to those who sent private messages, or messages I didn't post, of support of my position. I let through a few that came in first or were particularly interesting. Most of the ones I let through took some level of disagreement with Dan. But, most of them took that side. I don't feel it necessary to let through any more that have to do with your position on the subject, I think Dan gets the point. Naturally, this particular list is skewed in that direction. You'd get a much different vote on NTBugtraq. I'd like to toss a couple particular questions Dan's way, since he seems willing to answer questions as an AV guy. Dan Schrader wrote:
It doesn't matter which antivirus vendor you give it too. There are contractual agreements between most AV vendors to share viruses on request. In addition, 20+ AV vendors recently formed an organization called Rapid Exchange of Virus Samples (REVS) designed to facilitate the distribution of viruses among those who need them. If you are one of those people, contact Joe Wells at wildlist.org and join the group.
Any idea what the qualifications are? I assume one would have to agree not to distribute outside of the group. Would the group let in someone who was producing a free AV product?
The last thing any AV vendor needs is more viruses - we get (no exaggeration) over 500 new viruses a month. Thousands of files are sent to us each month for analysis.
I understand your point, but again to turn it around... you actually need "all" viruses to remain competitive, no?
What I was trying to do was reduce the likelyhood of copy cat viruses. AV vendors have a firm policy of never giving virus samples to anyone who we are not sure will be responsible in their handling of the virus.
That is the same as saying "we don't hire hackers." How do you know? MS tried escrowing exploits once... just once (so far.) Aleph1 had a copy of the exploit in less than 24 hours. Not all the guys working for the "proper" people follow the policy like you'd like them too.
For those few people who need to do their own analysis, there are faster, safer ways of getting the code then relying on someone sending it to you over on uncontrolled email group days or weeks after the av vendors had analyzed the virus and provided detailed descriptions of it on our web sites. By last Friday every major av vendor had posted write-ups
And what are the faster safer ways, for Joe Nobody, to get those? If those exist, why do you care if I mail it out? Here is where the mailing lists and media are serving a purpose. The AV guys had the info they needed early, and presumable some had updated signature databases. The outbreak didn't happen until Monday though.. by definition for this type of virus, if people were prepared, there wouldn't have been an outbreak. The failing is still people who don't update their virus databases often enough. They still need the media to cry wolf to alert them that something is up. I think the AV companies use the same mechanism that I do to weigh how high the risk level is... how many people get nailed. I've only put through like 7 pieces of malware to the list. It most cases, it was based on how widespread it was, and therefore interest level.
Let me ask the list, did one person on this list use this posting to better protect their environment?
Several people claim to have done just that. I didn't necessarily let those messages through, and I don't really want to post a message from everyone who did. BB
Current thread:
- Re: Capturing System Calls, (continued)
- Re: Capturing System Calls Michal Zalewski (Jun 22)
- Re: Capturing System Calls Ryan Permeh (Jun 22)
- Re: Capturing System Calls Pavel Kankovsky (Jun 22)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Andrew Reisse (Jun 22)
- Re: Capturing System Calls Rajiv Dighe (Jun 22)
- Re: Capturing System Calls Granquist, Lamont (Jun 22)
- Re: Capturing System Calls Michal Zalewski (Jun 22)
- Fwd: ShowFile CGI Security Vulnerability Barry Russell (Jun 21)
- Re: Fwd: ShowFile CGI Security Vulnerability Blue Boar (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Crispin Cowan (Jun 22)
- Re: Another new worm??? Justin Lintz (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- Re: Another new worm??? Michael S Hines (Jun 23)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)