Vulnerability Development mailing list archives

Re: ScriptGuard

From: tim () BIZTONE COM (Tim Wort)
Date: Tue, 16 May 2000 08:51:05 -0600


The seem to mellow the claims a bit in the "END USER LICENSE AGREEMENT"

quote:

WARRANTY-FREE:
DCS disclaims any warranties concerning works of this copy. DCS
does not warrant that the software is error free, identifies all
known, unknown, or yet-to-be-written worms and hostile scripts,
or may occasionally report alarms in a file that is not hostile.

On Tue, 16 May 2000, Crispin Cowan wrote:

Thierry Zoller wrote:

I can understand that users like to feel safe and cosy, and are
ready
to pay for it, but how can you offer any guarantee that these users
will not be affected by the latest permutation of, say, LoveLetter.*

?  It is impossible to detect new viruses which are not yet in your
database, and heuristics will of course only work to a limited
extent.


Nope it's not impossible, proof
http://www.tlsecurity.net/cleaner/scriptguard.htm
This is a _Generic_ Script Protector, it get's all variants of
Loveletter and (probably) all coming vbs,hta worms as it does NOT rely
on Fingerprints.


Interesting tool.  Definitely sounds like an approach that needs more
attention.


Heuristics work pretty good for VBS scripts as the supposed
"malicious" commands are static.
Perhaps one could code an algorithm obscuring the commands and thus
escaping Scriptguard, but this has not been made (yet)


As you say, scripts can be written that appear obscured, and then
de-cloak themselves as they run.  The documentation on the
http://www.tlsecurity.net/cleaner/scriptguard.htm site definitely needs
to have it's claims softened.  In particular, someone should explain
Alan Turing's Halting Problem to them :-)

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= Tim Wort                        BizTone.Com =
= Network Administration      tim () biztone com =
= 2329 West Main Street    Littleton Colorado =
= voice 303-707-4505         fax 303-707-4545 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Current thread:

Re: New worm?, (continued)
- - - Re: New worm? Bluefish (May 05)
- Re: New worm? mick chang (May 04)
- Re: New worm? Rich Corbett (May 04)
- Re: New worm? Edwin Concepcion (May 04)
- Re: New worm? Todd C. Campbell (May 10)
- Re: New worm? Dan Schrader (May 11)
  - Re: New worm? Dimitry Andric (May 12)
    - Re: New worm? Thierry Zoller (Apr 13)
    - ScriptGuard Crispin Cowan (May 16)
    - Re: ScriptGuard Thierry Zoller (Mar 16)
    - Re: ScriptGuard Tim Wort (May 16)
    - Re: ScriptGuard Chon-Chon Tang (May 16)
    - warftpd exploit? Martin Ixter (May 16)
  - Re: New worm? Bernie Cosell (May 12)
  - ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator (fwd) Bluefish (May 13)