Re: New worm?

[thierry () WAATLEEFT LU (Thierry Zoller)]

Dimitry Andric wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2000-05-11 at 10:57 Dan Schrader wrote:
>
> > A number of ISPs (US West, Sprint, British Telecom to name a few)
> > are now offering virus scanning as a value added service.  This
> > allows them to differentiate themselves and generate added revenues.
> > Users seem to like the feature.
>
> I can understand that users like to feel safe and cosy, and are ready
> to pay for it, but how can you offer any guarantee that these users
> will not be affected by the latest permutation of, say, LoveLetter.*
> ?  It is impossible to detect new viruses which are not yet in your
> database, and heuristics will of course only work to a limited
> extent.

Nope it's not impossible, proof
http://www.tlsecurity.net/cleaner/scriptguard.htm
This is a _Generic_ Script Protector, it get's all variants of Loveletter
and (probably) all coming vbs,hta worms as it does NOT rely on
Fingerprints.
Heuristics work pretty good for VBS scripts as the supposed "malicious"
commands are static.
Perhaps one could code an algorithm obscuring the commands and thus
escaping Scriptguard, but this has not been made (yet)

Thierry Zoller

> So if you offer a guarantee, then you might be sued by users who
> become infected even after using your scanning service. On the other
> hand, if you don't offer any guarantee, what is your scanner service
> worth then? To me, it would then seem of no use at all, except for
> draining customer's pockets.
>
> Cheers,
> - --
> Dimitry Andric <dim () xs4all nl>
> PGP key: http://www.xs4all.nl/~dim/dim.asc
> KeyID: 4096/1024-0x2E2096A3
> Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3
>
> -----BEGIN PGP SIGNATURE-----
> Version: Encrypted with PGP Plugin for Calypso
> Comment: http://www.gn.apc.org/duncan/stoa_cover.htm
>
> iQA/AwUBORv30rBeowouIJajEQIyYQCg1QIMWGlzOQPxi4yngG1tKGzmxIMAoNgf
> bjvEi0P6HCb/MJRvmyloLTgf
> =Ai3b
> -----END PGP SIGNATURE-----