Vulnerability Development mailing list archives
Re: Another new worm??? (technical)
From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Fri, 23 Jun 2000 19:17:24 +0200
On Fri, 23 Jun 2000 15:08:16 +0200, Bluefish wrote:
To begin with, you assume the filter to act on the information most easily "polymorphed". Obviously you could do far more advanced filters which aims at things less easily modified.
There is no such thing as hard to modify things in macro-viruses / script viruses. There is a paper by David Chess on the IBM site about that. He calls them "soft" viruses because in fact for different reasons they are very resistant to small changes Change random bytes in a worm like Love Letter, it will keep to work in 90% of the cases. Change random bytes in a virus written in assembly language, it crashes in 99.9% of the cases.
However, you assume you need to scan against everything. But actually, email viruses doesn't have that a long lifespan (probably because they're easily detected)
They have a long life span - people are still regularly infected by Happy99 or KAK for example. The reason why they don't remain widespread is that anti-virus programs put ecologic pressure on them. All it takes is one Love Letter that is not filtered to restart an epidemyinside a company.
For many applications a defence which stops the 3 most common spreading email viruses will be enough. As an example, an administrato notices a
Sure, that is a good thing and I have said so. That is why I support full disclosure of such script codes. ut it is not a long term solutions because once a virus gets out of these filters, it can restart an epidemy, unless you have anti virus installed. * Simple mail filters are not a long term solution but are a good emergency measure. * Implementing an open source anti-virus based on simple e-mail filters only is doomed. * A system that is inherently weak should be fixed at the root. These were my points, I am sorry if I did not express myself clearly enough.
After all, they do know that very, very few users actually use macros, scripting email etc.
1) Corporates use them. 2) it is Microsoft's job : you can't sell a program that removes parts that MS considers essential to its eploitation system. 3) MS issues patches
(/me still not able to stop laughing after the wild accussations...)
I am sorry, I failed to see where I have "wildly accused" you of anything. In any case, accept my apologies for anything that could have offended you directly or indirectly. --- http://www.datarescue.com/idabase/ida.htm IDA Pro 4.1 - Yes, we have done it again !
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Blue Boar (Jun 20)
- Re: Another new worm??? Bennett Todd (Jun 20)
- Re: Another new worm??? ~jim (Jun 20)
- Re: Another new worm??? Justin Randall (Jun 20)
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Christofer C. Bell (Jun 22)
- Re: Capturing System Calls Steve Mosher (Jun 22)
- Re: Capturing System Calls Chon-Chon Tang (Jun 22)