Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

detecting targetted malware

From: "lsi" <stuart () cyberdelix net>
Date: Mon, 22 Jan 2007 12:42:43 -0000
This is probably patented and implemented already but nonetheless its 
a new idea for me, so I mention it...

While mass-produced malware remains an issue for a most users, an 
significant threat is also posed by malware customised for a specific 
victim (so called 'targetted malware').  This threat is potentially 
worse as an organisation cannot rely on traditional AV or anti- 
spyware scanners to detect the targetted malware; as the malicious 
code is customised it does not have an entry in AV/AS signature 
databases.

Despite this, detecting customised code should be easy.  All that's 
needed is a scanner.  It simply finds every piece of executable code 
on a system.  It then compares each piece with its list of known-good 
executables.  Any executable that is found but is not on the list is 
an intruder.

This approach takes advantage of the fact that, unlike spam, we can 
make a list of all our known-good items.

Stu

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: