Dailydave mailing list archives
The Anti-Virus/IDS fantasy world
From: "No Body" <usanonymous () gmail com>
Date: Tue, 12 Jun 2007 15:33:09 -0600
I'm curious: what exactly makes writing malware difficult? Consider a sophisticated modern mass-mailer with a backdoor. In my experience, it consists of: A) Code to inject a thread into explorer.exe; that thread then contains: B) Code to report to a central server via HTTP; C) A SOCKS proxy thread and/or remote file system viewer; D) A routine to scour the disk for email addresses; E) An SMTP client; F) Code to ensure that the worm starts every time the system boots (almost always via the registry), and maybe G) Code to make sure its registry key / executable are not deleted. Each component is no more than 1,000 lines of code, and each is easily testable. For good measure, the binaries is are usually packed with either FSG or UPX. Your standard IRC trojan is even less sophisticated. Trojan downloaders are literally less than ten lines of C code to write. BHOs, as well, are much easier to write than they are to analyze (if you don't believe me, try it). SymbianOS malware is excruciatingly difficult to analyze, while the malware authors have an emulator and an SDK with a rich collection of examples to work with. I just don't see the "incredibly hard" part in writing malware: are you referring to some other class of malware than the ones I've described? I agree with Sophos (while at the same time thinking AV is snake-oil): statically analyzing malware is substantially harder than writing it.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Anti-Virus/IDS fantasy world Dave Aitel (Jun 09)
- Re: The Anti-Virus/IDS fantasy world Kradorex Xeron (Jun 15)
- Re: The Anti-Virus/IDS fantasy world toby (Jun 15)
- Re: The Anti-Virus/IDS fantasy world Nathan Landon (Jun 16)
- Re: The Anti-Virus/IDS fantasy world Paul Melson (Jun 16)
- Re: The Anti-Virus/IDS fantasy world val smith (Jun 19)
- <Possible follow-ups>
- The Anti-Virus/IDS fantasy world No Body (Jun 15)
- Re: The Anti-Virus/IDS fantasy world El Nahual (Jun 16)