[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F542FC7.9010407@alfray.com>
From: ralfml at alfray.com (Ralf)
Subject: Tracking a virus by logging infected machines
Richard M. Smith wrote:
> Not that I want to encourage virus writing, but I think it would be very
> helpful to gather infection statistics if a virus were to keep a log of
> the IP addresses of all the machines it infected. The log could be
> appended to the end of the executable file of the virus. Each copy of a
> worm or virus would contain a record of one branch of the tree of
> infected machines.
I don't have any practical experience in writing viruses (and surely
don't want to) but that's doesn't seem applicable. I'd expect the
infection tree to be much wider than deeper so much not knowledge would
be seen in such the log of a single branch of the tree, except a way to
target the immediate source of infection (and trace back the author?).
Adding the log to the virus itself doesn't seem too viable, especially
as text that could be easily detected by the dumbest AV.
A better way would be to use a trojan that contacts a central server at
some point (like the DDoS trojans do). Then the trojan can send info
about where it is right now and where it comes from so it doesn't need
to keep it's own log. Given the wild imagination of the various viruses
authors around and their number, I'm sure that's already been done.
R/
Powered by blists - more mailing lists