RE: virus-binaries

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Andreas Gietl
> Sent: Wednesday, August 20, 2003 12:19 PM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] virus-binaries
>
>
> Hi folks,
>
> since there were a lot of virus-binary-request on the list 
> the last day and 
> there was a huge discussion about sending binary-files on the 
> list i'd like 
> to propose s.th.
>
> - there were a lot of double-requests on the list, because 
> people were not 
> able to find binaries in the archives. What about marking 
> these posts with 
> [Virus-Binary: <Name>] or something like that so people can 
> easily find them?
>
> - As what i can see every new worm/virus is requested on the 
> list, so what if 
> the first one on the list that catches a worm just puts it on 
> a webpage and 
> post the link with subject as described above? It looks like 
> lots of people 
> on the list really need these binaries (me included) and this 
> would save a 
> lot of time.
>
> Suggestions welcome, flames off-list please;-)

This would be great, but I don't think it would give netsys much value
to add this to their system from a business perspective. There are
various virus trading groups out there. These people are not researchers
or network admins. They trade virii like baseball cards. They tend to be
secretive, and often this is because trading in virii is not considered
to be a positive thing... Even if you have a legitimate reason to be
getting these.

Various sites in the past have hosted such binary collections... There
was coderz.net, which was a giant repository of various virii writer
sites and collection sites... There is 29a which is a group that does
everything in a full disclosure kind of spirit, but also a bit bent. As
one poster noted, there is an opensource Unix AV system which has, of
course, an open database.

Generally, the pseudo-All Powerful AV industry frowns apon this kind of
thing. These are people that "discover" applications released to the
full disclosure community. They would be quoted in articles about such a
thing ranting about how evil such a thing is. How dare people outside of
AV attempt to catalogue and classify virii for their own protection!

Lastly, if this was not clear, such a list or site would also tend to
lean towards becoming a new virus clearing house. It does depend on how
it was run and the intentions with which it was started, perhaps.

But, I am all for it. For firewall checks, for scanner checks, for
general reverse engineering purposes of the latest attack vectors...
This kind of thing is quite important outside of the pure AV industry. 







> Andreas
> -- 
> e-admin internet gmbh
> Andreas Gietl                                            tel 
> +49 941 3810884
> Ludwig-Thoma-Strasse 35                      fax +49 
> (0)1805/39160 - 29104
> 93051 Regensburg                                  mobil +49 
> 171 6070008
>
> PGP/GPG-Key unter http://www.e-admin.de/gpg.html
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html