Re: Overloading AV software, was Question about Viruses

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/7/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Fri, 07 Jul 2006 13:34:08 EDT, "Richard M. Smith" said:
> > >>> But for the most part massimo is right, it's a dumb strategy
> >
> > Hmm, what if the bad guys overloaded a user with virus warning messages as a
> > stratergy to get people to turn off their AV software.  For example, could a
> > Web page download a few hundred image files with known virus signatures
> > tacked on the end of each file in order to make AV software go nuts?  Could
> > the same trick be used in an HTML email message?
>
> The system just goes 'Oink' or maybe casters-up.  The basic idea of using
> a fork bomb or other resource consumer to DoS a box has been known since
> the mid 60s, not exactly news here.. ;)  The system will either eventually
> scan all the content or bomb out - I don't know of *anybody* who has a product
> so brain dead that it will say "Wow, I've got 48 waiting to be scanned, let's
> just start giving them a free pass so I don't fall behind" (if anybody knows
> of one that bad, please name names so we can add some chlorine to the AV gene
> pool...)
>
> We had a nasty run-in with some malware that nested its zip payload down under
> multiple levels of MIME.  Seems when it was more than 99 levels down, things
> got wonky and piggy.   And even more wonky and piggy when you had several
> thousand of the beasts in the queue. (Yes, we whinged at the vendor, and they
> sent us a patch to make it a lot less a bacon source...)

The zip-bomb?

I seem to remember McAffe or Symantec doing that


>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.