lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: MyDoom download info

> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Daniel Spisak
> 
> Hey guys,
> 
> 	In the interest of saving my sanity and my inbox I am 
> posting this to the list as I am just starting to get buried under
everyones 
> emails for requesting the copies of the virii and I've got other
priorities that 
> need me right now. So without further ado here is the 
> location for the files for anyone to grab. Please only grab these if
you A) Know what 
> you are doing and B) Intend to disassemble/analyze the virii. Thanks!

I'm curious; there is software out there which won't, for example, run
in VMWare.
It throws an error about running under a debugger.

Given that its possible for a program to detect that its being run under
a debugger,
wouldn't it be possible for a virus to behave differently in the debug
environment?

Another issue is timing of attacks; so far I've read about people
running virii and
trojans in lab conditions and setting the system clock here and there to
see what
the malware will do on a particular date.

At first I thought about the malware connecting to ntp servers to get
the date;
IIRC thats already been done. But outgoing connections to ntp servers
are pretty
obvious.

Wouldn't it be possible for malware to connect to some dynamically
generated
web pages (on port 80) and check for timestamps? I bet there are
millions of
possible sources of such timestamps out there. 

In this case, the malware knows that its not running in a debugger so it
does its 
stuff, the analyst sees the outgoing connection to
www.foobar.baz/wherever but doesn't 
know what the hell the virus is looking for on that page... If the
malware doesn't 
get a good timestamp from a few probes like that it assumes that its
running in a lab 
and goes to sleep, or even just deletes itself.

I'm not tryng to put ideas into the heads of virus writers, but pointing
out
that given a sufficiently devious virus writer, there seems to be little
chance of
getting a succesful analysis.

IE: how do you know that the behavior you see in the lab reflects
behavior in
the real world? (I get a kind of 'schrodingers cat' deja vu).

How valid are my points?

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ