Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

ScriptGuard

From: crispin () WIREX COM (Crispin Cowan)
Date: Tue, 16 May 2000 08:44:03 +0000

Thierry Zoller wrote:


I can understand that users like to feel safe and cosy, and are
ready
to pay for it, but how can you offer any guarantee that these users
will not be affected by the latest permutation of, say, LoveLetter.*

?  It is impossible to detect new viruses which are not yet in your
database, and heuristics will of course only work to a limited
extent.


Nope it's not impossible, proof
http://www.tlsecurity.net/cleaner/scriptguard.htm
This is a _Generic_ Script Protector, it get's all variants of
Loveletter and (probably) all coming vbs,hta worms as it does NOT rely
on Fingerprints.


Interesting tool.  Definitely sounds like an approach that needs more
attention.



Heuristics work pretty good for VBS scripts as the supposed
"malicious" commands are static.
Perhaps one could code an algorithm obscuring the commands and thus
escaping Scriptguard, but this has not been made (yet)


As you say, scripts can be written that appear obscured, and then
de-cloak themselves as they run.  The documentation on the
http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs
to have it's claims softened.  In particular, someone should explain
Alan Turing's Halting Problem to them :-)

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html
Previous By Date Next
Previous By Thread Next

Current thread: