Bugtraq mailing list archives
Re: Malicious code detection and full disclosure
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Tue, 30 Mar 1999 00:23:10 +0100
industry deal with on an hourly basis, but that usually seldom impinge the consciousness of "ordinary systems managers".
You speak for them all obviously
Publishing code for exploits seems likely to have the problems fixed. Publishing code for viruses won't. People will not move to less
Why not. The code he published is trivially available. The fact you've gone screaming about the fact he released it shows the release has some vlaue. Bugtraq is a full disclosure list. It has carried detailed dismemberment of other worms before now. The melissa worm is little different to the internet worm, where posting the methods it works and the reconstructed code helped no end to fix the problems.
To be done well though, it requires an element of expertise. The antivirus industry and those of us closely affiliated with it have been doing this for years. We might even be considered somewhat "expert" at it.
First, this is not a security issue in the traditional sense. Yes--I
Unauthorised execution of code causing disruption of victims machine. Its not even that much more mechanised than the scanners nowdays which install rootkit, pop onto irc and then fire up themselves.
Second, viruses spread. However, unlike worms which are (usually) self-spreading exploits, there is no "vulnerability" to be fixed.
By definition there is a vulnerability. It got in, it spread, it got out.
It mailed your important documents to people. Thats a vulnerability. Its
no different to cracker mailing your payroll out.
You pedal the same myth
"The bad guys are too stupid to work it out"
Sorry. The average bad guy can get a copy of the virus binary and mail it
as is to victims. Anyone with half a clue can extract a visual basic
program.
What are you going to do when the virus authors all start mailing source code
out to everyone on usenet. Perhaps we should _all_ be getting our house
in order so that when they do we can chuckle safely to ourselves.
Alan
Current thread:
- ADM Worm. Worm for Linux x86 found in wild. Ben Cantrick (Mar 25)
- Re: ADM Worm. Worm for Linux x86 found in wild. Jim Paris (Mar 25)
- Re: ADM Worm. Worm for Linux x86 found in wild. Mixter (Mar 26)
- Malicious code detection and full disclosure Nate Lawson (Mar 27)
- Re: Malicious code detection and full disclosure Nick FitzGerald (Mar 29)
- Re: Malicious code detection and full disclosure Alan Cox (Mar 29)
- Re: Malicious code detection and full disclosure Nick FitzGerald (Mar 29)
- <Possible follow-ups>
- Re: ADM Worm. Worm for Linux x86 found in wild. Dep. de Teleinformática (Mar 26)
- Re: ADM Worm. Worm for Linux x86 found in wild. Dep. de Teleinformática (Mar 26)