Dailydave mailing list archives
Re: Self updating worms?
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 10 Sep 2004 00:25:29 +0200
Jonathan Wilkins wrote:
The point is that the author wouldn't be doing the updating personally. The worm would update automatically based on it's ability to extract new exploit vectors from *other* worms/exploits that it was able to seewhile
Right, and I'm an AI capable of reversing using IDA Pro and detecting protocol anomalies with no false positives/negatives using Ethereal. Wait till the guys at datarescue hear about me.
sniffing whatever network it found itself on. (Obviously this would be limited to exploits/worms that were generated using some language/product that the original author had written an extractor for)
I was being cynical above (sorry if the bad joke came out wrong). I can see how this could work, especially with so much freely available malware source available. However, I personally believe that although it might have it's applications, it would never really work due to practicality. What do I do, add more functionality for an engine that might or might not work (depending on availability of previous && correct infections)? or perhaps add more functionality for the existing "creation"? Remember.. the size of the sample is everything.
Virus creation kits exist.. what you suggest is a next-level language built on top of a current high-level one (or whatevah?). I forgot the term for it, but it's either a library (.h, .dll, .whatever) or a higher level language much like some people try and create academically, to make coding easier on people. Sorry for being thick on words, I forgot the term.
Either way, and although your idea fascinates me - I don't see it happening and refuse to discuss it further here.
I believe you have the right idea but the wrong concept. How about polymorphic engines and code generators? Biology, genes.. gotta hate it. There is a ton of material on these subjects online.
This is a fire and forget type worm that would be able to propogate very slowly without the penalties that usually apply to slow moving worms.
How do you figure that?
Releasing multiple variants increases the chances of the author being discovered with every new release.
That depends on the author, now, doesn't it?
I'm not suggesting it as a retail product, just as a potentially neat idea.
I was willing to hear you out, and I like the way you think.. but no virus is a "neat" idea. Sorry. Anyway, should we discuss ways of making viruses better? I think not, but that's just me and that is why I will withdraw from this line of conversation from here on.
Buddy, I am not trying to bust your bones and as I said.. I believe you raise valid points.. but I don't like where this is heading.
</preaching> Gadi Evron. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- <Possible follow-ups>
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Anton A. Chuvakin (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
- Re: Self updating worms? Gadi Evron (Sep 10)
- Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
- Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
- Re: Self updating worms? robert (Sep 13)