funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!]

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 30 Dec 2005 18:17:36 +1300
Blue Boar to Drsolly:


Both groups will be helped, but the poorer malware coders will be helped 
more.


Any evidence to back that up, or is it an article of faith?


Historically, despite their writing "functional" (and occasionally even 
"successful") viruses and other malware, most virus/malware writers 
were poor coders with very limited understanding of what they were 
doing, often taking code with several generations of development by 
others (most with similarly poor understanding of what the code 
actually did and how the systems it interacted with responded) and 
tweaking it.  Often this new code just doesn't work -- I mean, it will 
compile, but running it has few to none of the intended effects, not 
even the ones the original did.

As just one (high-profile) example, Jan de Witt (sp?) who was fined (?) 
by a Dutch court for writing and distributing the "Anna Kournikova" 
virus (technically VBS/VBSWG.J) was just dumb lucky (or unlucky, 
depending on your perspective) -- the "VBS Worm Generator" version he 
used to create the VBS Email worm produced mostly non-functional code. 
When run most code output by the kit (from memory this varied from 100% 
to around 25% depending on kit's version) threw runtime errors _very_ 
early in the code (well before the mass-mailing or any destructyive 
payload routines).  After he was found guilty by the court de Witt 
admitted in an interview that he had never actually tested the code 
because he did not want to get in trouble for messing up his father's 
computer...

Historically we have seen a few of these very incapable malware writers 
peer up with others (usually in groups, often organized around 
producing the newest, most l33t VX zine...) and improve as a result of 
the tutoring they get from those peers.

It is inconceivable that some of the similarly poor among todays bot, 
downloader, web exploit, etc writers will not relish the opportunity of 
taking similar advantage of the presumably better-on-average 
researchers Val hopes to attract to his site.  _If_ Val is successful 
in this _AND_ Val continues without suitable membership vetting some 
bad guys will certainly gain significant benefit from the site.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: