Vulnerability Development mailing list archives
Re: Another new worm??? (technical)
From: 11a () GMX NET (Bluefish)
Date: Sat, 24 Jun 2000 03:29:59 +0200
There is no such thing as hard to modify things in macro-viruses / script viruses. There is a paper by David Chess on the IBM site about that. He calls them "soft" viruses because in fact for different reasons they are very resistant to small changes
I'm no expert on the VBS-files, so I can't argue on that. But macros in e.g. Word which can auto-execute is easily detected?
Change random bytes in a worm like Love Letter, it will keep to work in 90% of the cases.
Which only demonstrates that you should look at important stuff. ;-) If I would (which I won't ;-) develop a AV designed to deal with emails, I would offer a number of options where the user (administrator) could decide how to deal with scripts containing file access etc and let them classify what kind of defence they feel they need. To simplify the process I would offer a number of default settings ("paranoid" being default, "block all scripts" would be what I enabled where I work)
Change random bytes in a virus written in assembly language, it crashes in 99.9% of the cases.
That's fairly obvious to anyone with a limited understanding of how the common commercial machnine languages works, eh... ;)
* Simple mail filters are not a long term solution but are a good emergency measure. * Implementing an open source anti-virus based on simple e-mail filters only is doomed. * A system that is inherently weak should be fixed at the root. These were my points, I am sorry if I did not express myself clearly enough.
Seems we agree to most things :)
After all, they do know that very, very few users actually use macros, scripting email etc.1) Corporates use them.
In my expierience: rarely. Of course this may depend of where one have worked etc, but I feel safe to say that even among companies less than a a percentage do use the macro functionallity, even less the autoexecutes. A scripting email being usefull was a news to me, what exactly would the purpose be? Multimedial emails? I have my doubts. The only contact with macro programming I've had is consults who use VBA to access excel/access database (those people really did not know their bussniess - I had to help them out although I had no prior experience of VB)...
2) it is Microsoft's job : you can't sell a program that removes parts that MS considers essential to its eploitation system.
I would, if I was in charge of a company, be ready to pay for software which identifies possible insecure features (also those related to human factors such as social engineering, alas disabling hiding of extentions etc) and offer a) warnings only, b) fixing if user agrees (default) or c) automatic fixing. Personly, I would of course like such software free, GPL-ed or something, but I do think numerous companies would enjoy that feature.
3) MS issues patches
I do think AV tools could at least recommend fixes? A simple option "security analyses" in on of those interactive AV's wouldn't require overly much code and could easily detect settings commonly exploited by viruses. And then it could prompt something like "Check microsoft.com for security updates? [y/n]". If yes, simply send explorer to the correct URL.
I am sorry, I failed to see where I have "wildly accused" you of anything. In any case, accept my apologies for anything that could have offended you directly or indirectly.
Oh, you haven't. I was thinking about the trendmicro post which brought up these threads. Was kinda reading them and then reading your mail ;) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Christofer C. Bell (Jun 22)
- Re: Capturing System Calls Steve Mosher (Jun 22)
- Re: Capturing System Calls Chon-Chon Tang (Jun 22)
- Re: Capturing System Calls Jonathan Leto (Jun 22)
- Re: Capturing System Calls Michal Zalewski (Jun 22)
- Re: Capturing System Calls Ryan Permeh (Jun 22)
- Re: Capturing System Calls Pavel Kankovsky (Jun 22)
- Re: Capturing System Calls Todd Garrison (Jun 22)
- Re: Capturing System Calls Andrew Reisse (Jun 22)