lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 23 Sep 2005 14:34:31 +0200
From: Ratter <ratter@...as.cz>
To: Jose Morales <jose@...stopearth.com>
Cc: vuln-dev@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: PocketPC exploitation


JM> I would like to contribute to the list a paper i just had published that
JM> discusses the vulnerabilities of current virus detectors for pocket pc's, it
JM> is scary to think that such simplistic detectors are the current state of
JM> the art for such powerfull devices, it leads one to think that the lessons
JM> of the past have not been learned, feedback on the paper is appreciated and
JM> welcomed, i hope it helps those interested in this area of research feel
JM> free to contact me.
OK, here's the feedback. You're creating unnecessary havoc. There are
AFAIK two or three pocket PC viruses/trojans. One is done by me,
second is probably a modification of mine and third is a trojan done
by some russian writer. All are very easy nonencrypted code, so what
else than a simplistic detector you would like to have? Yes, there
exists polymorfic generator written by Vecna/29A (published in last
29A magazine) and a Dust version that uses it. But this virus is on my
disk only, it will probably never be published as I'm retired.

So the question stands - for what you want to add detection for
encrypted/polymorfic/epo/metamorfic/whatever viruses to PPC detectors,
when there is _no_ virus, that uses them? Can you see the overhead it
would cause? The antivirus size increase? The time increase spent on
detection? This really is ridiculous.

When the time comes (and it probably will come), adding advanced
detection techniques to given PPC antiviruses is a matter of very
little time, because as you say all of these techniques are relatively
well elaborated in the PC world. When there will be people out there
that will take every ITW virus/worm and modify by few bytes, then the
time comes to add more advanced scanning techniques. Now it's simply
waste of resources on both sides - antivirus companies and _mainly_
user's devices.

You have very nice equations in the paper, very academic approach, but
well, the paper lacks one thing. Real life experience.

-- 
Best regards,
Ratter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ