Dailydave mailing list archives

Re: Self updating worms?

From: Gadi Evron <ge () linuxbox org>
Date: Fri, 10 Sep 2004 19:48:54 +0200

I could understand why adding more features to viruses would be an issue- VX-ers always try to cram more into smaller binaries, but self updating?

The whole idea is for the runners/controllers to have control. Once theyhave control, beginning with being aware of the infected system and allthe way to using them, updating is the smallest concern. Why bother? Youcan always upload the update later or have your army download it.


We should separate Trojan horses from spreading Trojan horses (=most worms).

It's the difference between sharp shooting and using a machine gun onautomatic mode (is there any other?) to hit a canister.The sharpshooter would get it with the first shot while the machine gunwould fire a ton of led before getting lucky or blowing the dirt frombeneath it.

Drone armies? These are huge as it is and there is no lack of new dronesor ways of finding them. The kiddies trade these Trojan horses likecandy, as a friend of mine puts it.

Worms? The whole idea is to spread them. New worms spread just as well,why take the risk of leaving a trail when there are far easier wayskiddies employ daily?


        Gadi.

Oded H wrote:

There is a clear benefit for the bad guys espcially if we are talking
about organized crime to have a self updating worm, simply because although
they dont want to leave a trail they would like to get some exclusive
access to a victom host. Adding some defence (i.e. patch) to the vulnerability
on which their worm arrived is a step at that direction.

The problem with the concept though of a worm analyzing other worms propagation
methods, is that you have no real security in this method
Therefore if the worms can identify the other little brothers and sisters

variants, so do the IDS and AV systems.

Even more, any worm like this which tries to execute captured code of
other variants is doomed to die quickly since sooner or later a tool
will be created to inject a worm-payload-look-like to be captured by
the worms, which simply execute suicide. (which can be used by anyone
cause it wont REALLY spread as worm, only will look like one)

My geuss, self updating worms can exist on very small scale, if they
grow big their complexity will be their fall

Oded H.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Self updating worms? Jonathan Wilkins (Sep 09)
- Re: Self updating worms? Gadi Evron (Sep 09)
- <Possible follow-ups>
- RE: Self updating worms? Kohlenberg, Toby (Sep 09)
  - RE: Self updating worms? Anton A. Chuvakin (Sep 09)
    - RE: Self updating worms? Dave Aitel (Sep 09)
- RE: Self updating worms? Jonathan Wilkins (Sep 09)
  - Re: Self updating worms? Gadi Evron (Sep 09)
    - Re: Self updating worms? Dave Aitel (Sep 09)
- Re: Self updating worms? Oded H (Sep 10)
  - Re: Self updating worms? Gadi Evron (Sep 10)
  - Re: Self updating worms? Blue Boar (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 10)
  - Re: Self updating worms? robert (Sep 10)
- RE: Self updating worms? Jonathan Wilkins (Sep 13)
  - Re: Self updating worms? robert (Sep 13)