Vulnerability Development mailing list archives
Re: ScriptGuard
From: relloz () VO LU (Thierry Zoller)
Date: Thu, 16 Mar 2000 10:54:48 +0100
Crispin Cowan wrote:
Thierry Zoller wrote:I can understand that users like to feel safe and cosy, and are ready to pay for it, but how can you offer any guarantee that these users will not be affected by the latest permutation of, say, LoveLetter.* ? It is impossible to detect new viruses which are not yet in your database, and heuristics will of course only work to a limited extent.Nope it's not impossible, proof http://www.tlsecurity.net/cleaner/scriptguard.htm This is a _Generic_ Script Protector, it get's all variants of Loveletter and (probably) all coming vbs,hta worms as it does NOT rely on Fingerprints.Interesting tool. Definitely sounds like an approach that needs more attention.Heuristics work pretty good for VBS scripts as the supposed "malicious" commands are static. Perhaps one could code an algorithm obscuring the commands and thus escaping Scriptguard, but this has not been made (yet)As you say, scripts can be written that appear obscured, and then de-cloak themselves as they run. The documentation on the http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs to have it's claims softened. In particular, someone should explain Alan Turing's Halting Problem to them :-)
Hehe:) The description is simply copied from the readme. The original site (does more claims) is here : http://scriptguard.diamondcs.com.au Thierry
Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- Re: New worm?, (continued)
- Re: New worm? Matthew R. Potter (May 04)
- Re: New worm? Bluefish (May 05)
- Re: New worm? Matthew R. Potter (May 04)
- Re: New worm? mick chang (May 04)
- Re: New worm? Rich Corbett (May 04)
- Re: New worm? Edwin Concepcion (May 04)
- Re: New worm? Todd C. Campbell (May 10)
- Re: New worm? Dan Schrader (May 11)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Thierry Zoller (Apr 13)
- ScriptGuard Crispin Cowan (May 16)
- Re: ScriptGuard Thierry Zoller (Mar 16)
- Re: ScriptGuard Tim Wort (May 16)
- Re: ScriptGuard Chon-Chon Tang (May 16)
- warftpd exploit? Martin Ixter (May 16)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Bernie Cosell (May 12)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator (fwd) Bluefish (May 13)