Full Disclosure mailing list archives
Re: Tracking a virus by logging infected machines
From: Ralf <ralfml () alfray com>
Date: Mon, 01 Sep 2003 22:51:03 -0700
Richard M. Smith wrote:
Not that I want to encourage virus writing, but I think it would be very helpful to gather infection statistics if a virus were to keep a log of the IP addresses of all the machines it infected. The log could be appended to the end of the executable file of the virus. Each copy of a worm or virus would contain a record of one branch of the tree ofinfected machines.
I don't have any practical experience in writing viruses (and surely don't want to) but that's doesn't seem applicable. I'd expect the infection tree to be much wider than deeper so much not knowledge would be seen in such the log of a single branch of the tree, except a way to target the immediate source of infection (and trace back the author?). Adding the log to the virus itself doesn't seem too viable, especially as text that could be easily detected by the dumbest AV.
A better way would be to use a trojan that contacts a central server at some point (like the DDoS trojans do). Then the trojan can send info about where it is right now and where it comes from so it doesn't need to keep it's own log. Given the wild imagination of the various viruses authors around and their number, I'm sure that's already been done.
R/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Virus, whether the scanners say so or not? Scott Phelps / Dreamwright Studios (Sep 01)
- Re: Virus, whether the scanners say so or not? Bennett Todd (Sep 01)
- Re: Virus, whether the scanners say so or not? Paul Schmehl (Sep 01)
- Re: Virus, whether the scanners say so or not? misiu_ (Sep 01)
- Re: Virus, whether the scanners say so or not? gregh (Sep 01)
- Random SoBig.F Thoughts Jason Coombs (Sep 01)
- Tracking a virus by logging infected machines Richard M. Smith (Sep 01)
- Re: Tracking a virus by logging infected machines Ralf (Sep 01)
- Re: Tracking a virus by logging infected machines Marcus Graf (Sep 02)
- Re: Tracking a virus by logging infected machines morning_wood (Sep 02)
- Re: Tracking a virus by logging infected machines Joel R. Helgeson (Sep 02)
- RE: Tracking a virus by logging infected machines Richard M. Smith (Sep 02)
- Tracking a virus by logging infected machines Richard M. Smith (Sep 01)
- <Possible follow-ups>
- Re: Virus, whether the scanners say so or not? roman . kunz (Sep 01)
- Fw: Virus, whether the scanners say so or not? morning_wood (Sep 01)