Re: Self updating worms?

[Gadi Evron <ge () linuxbox org>]

Jonathan Wilkins wrote:

> The point is that the author wouldn't be doing the updating personally.
> The worm would update automatically based on it's ability to extract new
> exploit vectors from *other* worms/exploits that it was able to see
> while 

Right, and I'm an AI capable of reversing using IDA Pro and detecting 
protocol anomalies with no false positives/negatives using Ethereal. 
Wait till the guys at datarescue hear about me.

> sniffing whatever network it found itself on.  (Obviously this would be
> limited to exploits/worms that were generated using some
> language/product
> that the original author had written an extractor for)

I was being cynical above (sorry if the bad joke came out wrong). I can 
see how this could work, especially with so much freely available 
malware source available.
However, I personally believe that although it might have it's 
applications, it would never really work due to practicality. What do I 
do, add more functionality for an engine that might or might not work 
(depending on availability of previous && correct infections)? or 
perhaps add more functionality for the existing "creation"? Remember.. 
the size of the sample is everything.

Virus creation kits exist.. what you suggest is a next-level language 
built on top of a current high-level one (or whatevah?). I forgot the 
term for it, but it's either a library (.h, .dll, .whatever) or a higher 
level language much like some people try and create academically, to 
make coding easier on people. Sorry for being thick on words, I forgot 
the term.

Either way, and although your idea fascinates me - I don't see it 
happening and refuse to discuss it further here.

I believe you have the right idea but the wrong concept. How about 
polymorphic engines and code generators? Biology, genes.. gotta hate it. 
There is a ton of material on these subjects online.

> This is a fire and forget type worm that would be able to propogate
> very slowly without the penalties that usually apply to slow moving
> worms.

How do you figure that?

> Releasing multiple variants increases the chances of the author being 
> discovered with every new release.

That depends on the author, now, doesn't it?

> I'm not suggesting it as a retail product, just as a potentially neat
> idea.

I was willing to hear you out, and I like the way you think.. but no 
virus is a "neat" idea. Sorry.
Anyway, should we discuss ways of making viruses better? I think not, 
but that's just me and that is why I will withdraw from this line of 
conversation from here on.

Buddy, I am not trying to bust your bones and as I said.. I believe you 
raise valid points.. but I don't like where this is heading.
</preaching>

        Gadi Evron.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave