Vulnerability Development mailing list archives
Re: Another new worm???
From: Dan_Schrader () TRENDMICRO COM (Dan Schrader)
Date: Fri, 23 Jun 2000 11:53:14 -0700
Bennett Todd wrote:
Your reply shows a lack of understanding of the security community and how we work.
Full disclosure has resulted in proliferation of security fixes. It also has resulted in a proliferation of security exploits.
We develop understandings of problems, and work together to evolve the best possible fixes for them. Many of us maintain our own email filtering systems. I've developed one, which I maintain, which spots problem messages (currently a long list of attachment types, recognizing either MIME or uue, plus one magic string from one HTML-bourne worm), and sanitizes the messages on the way through the mail transport agent.
Good work - then 2 years ago when the shs exploit was publisized you should have added shs files to your filter, and you should have had no problem with the stages virus
The commercial Anti-Virus business community has developed a symbiotic relationship with virus writers.
Yes, and doctors have a symbiotic relationship with bacteria, drunk drivers and crooks with guns. But they dont distribute rotten food, beer and guns - and we don't distribute viruses.
Do you make recognition databases publicly available in a publicly-documented format,
No - then the virus writers would find it simple to work around our detectors. You fail to grasp the significance of having thousands of intelligent (ok, some are only semi intelligent) agents actively seeking to break our defences. dozens of viruses have been written specifically to beat popular av products. This is not a passive exploit we are tyring to deal with, it is active, hostile coders. If it were a passive exploit, I'd say go ahead and publish.
for those of us who don't want to run your software to use to try and keep up with the evolution of email worms?
We have 63 worms listed in our encyclopedia, another hundred that haven't made the list. How many have analyzed and added filters for? If you are just filtering on file extension, you don't need to analyze the code - all you needed was provided long before this virus was posted to the list.
If not, please go away, or at least give up trying to silence those of us who are trying to solve this problem, rather than to profit from it.
yup, I'm guilty of drawing a salary. I'm also guilty of trying to limit development and spread of copy cat viruses. Dan
Current thread:
- Different attack vector - PXE-2.0 protocol, (continued)
- Different attack vector - PXE-2.0 protocol Ollie Whitehouse (Jun 25)
- Spoofed FTP connections John Scimone (Jun 25)
- Re: Red Hat 6.2's ftp segmentation fault Jason Storm (Jun 24)
- Re: Another new worm??? sigipp () WELLA COM BR (Jun 21)
- Keyboard recording Martin M Samson (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- disclosure and risk to list subscribers (Re: Another new worm???) Mark Rafn (Jun 22)
- Re: Another new worm??? Andrew Griffiths (Jun 21)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Dan Schrader (Jun 23)
- Re: Another new worm??? Michael W. Shaffer (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 24)
- Re: Another new worm??? Crispin Cowan (Jun 25)
- Re: Another new worm??? Elias Levy (Jun 26)
- Re: Another new worm??? Crispin Cowan (Jun 27)
- Re: Another new worm??? Dino Amato (Jun 28)
- dalnet 4.6.5 remote vulnerability Matt Conover (Jun 28)
- *snprinf vs strncpy (misconception) Matt Conover (Jun 28)