Re: write viruses? it's controversy time of the month

[Drsolly <drsollyp () drsolly com>]

On Tue, 29 Aug 2006, Blue Boar wrote:

> Dude VanWinkle wrote:
> > What if the viruses you create are programmed to only work on a
> > private IP range (10.254.127.0/24), or that expire after a certain
> > date (say 1 week).
> >
> > Does that remove the unwanted moral hangups?
>
> Most people in the AV industry would say that you created a variant, and 
> now they might not detect it, and that's much worse (than spreading the 
> original.)
>
> Interestingly, I did pretty much exactly that with Nimda.A, in order to 
> test a product I was developing.  Afterwards, I thought I would be a 
> good guy, and submit samples to the AV companies. 

Uh - no. That's not being a good guy. Being a good guy, means you deleted 
all copies of the virus.

By sending it to the AV companies, you have added a very tiny amount to 
the virus problem. 

If a product is doing exact identification (such as Findvirus certainly 
did when I was maintaining it), then an addition variant means that I have 
to add ten or twenty bytes to the driver file. This makes the product take 
a minute fraction of a second longer to run (because it's reading a longer 
file at startup), and consumes fractionally more bytes on the distribution 
diskettes (or if distributing over the net, adds a tiny fraction of a 
second to the download time.

> I spelled out what I 
> had done in the email.
>
> I said something to the effect of "I made a variant of Nimda.A".
>
> Most of the responses I got back were "That's a variant of Nimda.A.  We 
> detect it as 'Nimda.A'"
>
> Uhh... thanks.

Surely at least one of them explained to you why what you did wasn't a 
good idea?

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.