| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun May 7 19:20:59 2006 From: debasis.mohanty.listmails at gmail.com (Debasis Mohanty) Subject: RE: Panda Antivirus Enterprise Secure, Norton Antivirus 2005 and the virus "I Love You" Singnature based analysis doesn't apply well incase of script based worms / virii. The issues here seems to be lack of feature to do an appropriate analysis of script based worms. Symantec is able to block it because, in addition to signature matching it is also trying to figure out what the script is upto. In this kind of real time analysis, AV usually look for any kind of possible malicious activity by the script by intercepting wsh or wscript calls. For example - If a .vbs , .hta or .wsh file is opened a system then the AV (with real-time protection) usually look for the presence FileSystemObject calls or something similar in the file and then block it from getting executed. It prompts the user to either allow it of disallow it. It may happen that it sometimes blocks valid scripts with valid calls to fso but like any other security products these kind of false positives do sneak in. I am rather surprised that Panda AV doesn't have this basic feature to block such scripts and is relying only upon signature based analysis. Have you also tried this test with Pest Control?? I guess they do have a nice real time protection. -d ________________________________ From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Niklas Sent: Saturday, May 06, 2006 10:46 AM To: Joxean Koret Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,Norton Antivirus 2005 and the virus "I Love You" Symantec 10 corp. immediately detetcts this as Loveletter.CI through real time protection when accessing the file within the arhive. /N On 5/4/06, Joxean Koret <joxeankoret@...oo.es> wrote: Sorry, the email was sended without the attachment. --- Regards, Joxean Koret > Attached goes a working "I Love You" virus in which > I > changed ONLY the variable "dirsystem" with the name > "kk2" (The file attached have the extension > ".txt.gz", > otherwise, with the .vbs extension the file will be > locked by all the most populars anti-viral > toolkits). Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m?viles desde 1 c?ntimo por minuto. http://es.voice.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists