Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm??? (long)

From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Thu, 22 Jun 2000 18:26:54 +0200

On Thu, 22 Jun 2000 10:09:42 +0200, rune () trans4media com wrote:


On Wed, 21 Jun 2000, you wrote:


[Hyped viruses - Hare Krishna]


AV companies still hype viruses and overexagerate their threats.


Oh yes....


point of view and giving vandals the tools to wreak havoc is not the
best way to address the problem...


And *because* of the seriously flawed way EEPROM's are used - the information
*SHOULD* be published.  That way - hardware companies will understand how
stupid it is to do "that and that".


Sure, in principle you are more than right. I believe the manufacturers
understand but that solving the issue is just not practical. To take an
analogy, we know nails will punch holes in tires and the industry
doesn't address the problem because making nail resistant tires would
cost three times the cost of conventional ones and people have
developed some kind of global road ethics - they don't spread nails on
roads....


When people find out how flawed their
hardware is, they have the option of swapping it *before* accident strike.


Yes - but they won't know, won't find out until it happens and when it
does will be misinformed. If the payload hits some general or
congressman MP3 player, some 17 year old kid will be fined 30 million
dollars, sentenced to jail and sacrificed on the hacker's altar ;-)


Oh, and .. CIH .. was kind of .. widespread.   Anyone with a disassembler could
analyze the virus.


Well, it took me two hours to understand it and I recognized the
flashing routine by sheer luck ( I had patched a flasher that wouldn't
run on a fast computers a month or so before). Most a-v companies
missed the flashing routine in their initial analysis, one of them
activated the routine by accident and investigated - one argument for
more open analysis btw - then I spend a couple of days downloading
EEPROM PDF docs and looking at the Award flasher. OTOH, when I saw an
e-mail worm it took me (and everyone) less than 5 minutes to understand
how it worked.

That's imho the key difference : anyone can spare an hour or two - not
anyone can spend 4 days on a project. Besides, people who are able to
analyze CIH usually have a job and don't have time to loose as vandals.
One hour of cutting and pasting in vbs or vba is all it takes.

As you have noticed, while there are hundreds of devices that can be
flashed, there are only a few very minor CIH variants. VBS/VBA worms
are appearing constantly...


---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !
Previous By Date Next
Previous By Thread Next

Current thread: