Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tracking a virus by logging infected machines

From: Ralf <ralfml () alfray com>
Date: Mon, 01 Sep 2003 22:51:03 -0700
Richard M. Smith wrote:

Not that I want to encourage virus writing, but I think it would be very
helpful to gather infection statistics if a  virus were to keep a log of
the IP addresses of all the machines it infected.  The log could be
appended to the end of the executable file of the virus.  Each copy of a
worm or virus would contain a record of one branch of the tree of
infected machines.
I don't have any practical experience in writing viruses (and surely don't want to) but that's doesn't seem applicable. I'd expect the infection tree to be much wider than deeper so much not knowledge would be seen in such the log of a single branch of the tree, except a way to target the immediate source of infection (and trace back the author?). Adding the log to the virus itself doesn't seem too viable, especially as text that could be easily detected by the dumbest AV.
A better way would be to use a trojan that contacts a central server at some point (like the DDoS trojans do). Then the trojan can send info about where it is right now and where it comes from so it doesn't need to keep it's own log. Given the wild imagination of the various viruses authors around and their number, I'm sure that's already been done. 

R/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: