lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ralfml at alfray.com (Ralf)
Subject: Tracking a virus by logging infected machines

Richard M. Smith wrote:
> Not that I want to encourage virus writing, but I think it would be very
> helpful to gather infection statistics if a  virus were to keep a log of
> the IP addresses of all the machines it infected.  The log could be
> appended to the end of the executable file of the virus.  Each copy of a
> worm or virus would contain a record of one branch of the tree of
> infected machines.  

I don't have any practical experience in writing viruses (and surely 
don't want to) but that's doesn't seem applicable. I'd expect the 
infection tree to be much wider than deeper so much not knowledge would 
be seen in such the log of a single branch of the tree, except a way to 
target the immediate source of infection (and trace back the author?).
Adding the log to the virus itself doesn't seem too viable, especially 
as text that could be easily detected by the dumbest AV.

A better way would be to use a trojan that contacts a central server at 
some point (like the DDoS trojans do). Then the trojan can send info 
about where it is right now and where it comes from so it doesn't need 
to keep it's own log. Given the wild imagination of the various viruses 
authors around and their number, I'm sure that's already been done.

R/



Powered by blists - more mailing lists