Full Disclosure mailing list archives
RE: MyDoom download info
From: Steve Wray <steve.wray () paradise net nz>
Date: Sat, 31 Jan 2004 09:56:22 +1300
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Daniel Spisak Hey guys, In the interest of saving my sanity and my inbox I am posting this to the list as I am just starting to get buried under
everyones
emails for requesting the copies of the virii and I've got other
priorities that
need me right now. So without further ado here is the location for the files for anyone to grab. Please only grab these if
you A) Know what
you are doing and B) Intend to disassemble/analyze the virii. Thanks!
I'm curious; there is software out there which won't, for example, run in VMWare. It throws an error about running under a debugger. Given that its possible for a program to detect that its being run under a debugger, wouldn't it be possible for a virus to behave differently in the debug environment? Another issue is timing of attacks; so far I've read about people running virii and trojans in lab conditions and setting the system clock here and there to see what the malware will do on a particular date. At first I thought about the malware connecting to ntp servers to get the date; IIRC thats already been done. But outgoing connections to ntp servers are pretty obvious. Wouldn't it be possible for malware to connect to some dynamically generated web pages (on port 80) and check for timestamps? I bet there are millions of possible sources of such timestamps out there. In this case, the malware knows that its not running in a debugger so it does its stuff, the analyst sees the outgoing connection to www.foobar.baz/wherever but doesn't know what the hell the virus is looking for on that page... If the malware doesn't get a good timestamp from a few probes like that it assumes that its running in a lab and goes to sleep, or even just deletes itself. I'm not tryng to put ideas into the heads of virus writers, but pointing out that given a sufficiently devious virus writer, there seems to be little chance of getting a succesful analysis. IE: how do you know that the behavior you see in the lab reflects behavior in the real world? (I get a kind of 'schrodingers cat' deja vu). How valid are my points? Thanks! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MyDoom download info Daniel Spisak (Jan 30)
- RE: MyDoom download info Steve Wray (Jan 30)
- Re[2]: MyDoom download info Papp Geza (Jan 30)
- Re: MyDoom download info Scott Taylor (Jan 30)
- Re: MyDoom download info Daniel Spisak (Jan 30)
- Re: MyDoom download info Scott Taylor (Jan 30)
- Re: MyDoom download info Valdis . Kletnieks (Jan 31)
- Re: MyDoom download info Oliver Schneider (Jan 31)
- Re: MyDoom download info Daniel Spisak (Jan 30)
- Re: MyDoom download info Roland Dobbins (Jan 31)
- RE: MyDoom download info Steve Wray (Jan 30)
- mydoom.exe decyphering? Danny (Jan 31)
- Re: [Full-Disc]: mydoom.exe decyphering? Anders (Jan 31)
- <Possible follow-ups>
- RE: MyDoom download info first last (Jan 30)