[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8D8863BB65A02F47A303E5B766612671E70580@exmb1.zonelabs.com>
From: jlacour at zonelabs.com (John LaCour)
Subject: Show me the Virrii!
The NSRL has several issues that limit its usefulness.
1) The file signatures are scanned from the media, not from
systems upon which they've been installed. This means
it doesn't include the files inside .ZIP or .CAB files
for example.
2) Many executables actually change when they're installed
on to a system in ways unique to the system that they're
installed on. To address this, we've written our own
hashing algorithm which ignores sections of the executable
which are likely to change during the installation process.
3) The list of programs and applications in the NSRL appears to
be relatively random and mostly consists of programs
which were donated to the NIST for this purpose.
In short, we found the NSRL to be of limited usefulness for the
purpose of authenticating popular enterprise software on installed
systems.
-John
-----Original Message-----
From: Elsner, Donald, ALABS [mailto:elsner@....com]
Sent: Tuesday, January 06, 2004 11:59 AM
To: Donze, Erich; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Show me the Virrii!
-----Original Message-----
I like the idea of scanning for valid software. There are some problems
with it that would need to be overcome, though:
1. Who makes the list, and keeps it updated? This would be a huge
undertaking.
------------------- snip -----------------------------------
The U.S. Government is already doing this...... Please see
National Software Reference Library (NSRL)
(http://www.nsrl.nist.gov)
Overview: The National Software Reference Library (NSRL) provides a
repository of known software, file profiles, and file signatures for use
by law enforcement and other organizations in computer forensics
investigations. Industry Need Addressed: Investigation of computer files
requires a tremendous effort to review individual files. A typical
desktop computer contains between 10,000 and 100,000 files, each of
which may need to be reviewed. Investigators need to eliminate as many
known files as possible from having to be reviewed. An automated filter
program can screen these files for specific profiles and signatures. If
a specific file's profile and signature match the database of known
files, then the file can be eliminated from review as a known file. Only
those files that do not match would be subject to further investigation.
In addition, investigators can search for files that are not what they
claim to be (e.g., the file has the same name, size, and date of a
common file, but not the same contents) or files that match a profile
(e.g., hacking tools).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists