lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8D8863BB65A02F47A303E5B766612671E70580@exmb1.zonelabs.com>
From: jlacour at zonelabs.com (John LaCour)
Subject: Show me the Virrii!

The NSRL has several issues that limit its usefulness.

1) The file signatures are scanned from the media, not from
   systems upon which they've been installed.  This means
   it doesn't include the files inside .ZIP or .CAB files
   for example.

2) Many executables actually change when they're installed
   on to a system in ways unique to the system that they're
   installed on.  To address this, we've written our own
   hashing algorithm which ignores sections of the executable
   which are likely to change during the installation process.

3) The list of programs and applications in the NSRL appears to
   be relatively random and mostly consists of programs
   which were donated to the NIST for this purpose.

In short, we found the NSRL to be of limited usefulness for the
purpose of authenticating popular enterprise software on installed
systems.

-John

-----Original Message-----
From: Elsner, Donald, ALABS [mailto:elsner@....com] 
Sent: Tuesday, January 06, 2004 11:59 AM
To: Donze, Erich; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Show me the Virrii!




-----Original Message-----

I like the idea of scanning for valid software.  There are some problems
with it that would need to be overcome, though:

1.  Who makes the list, and keeps it updated?  This would be a huge
undertaking. 

------------------- snip -----------------------------------
The U.S. Government is already doing this......  Please see
	
National Software Reference Library (NSRL)
(http://www.nsrl.nist.gov)

Overview: The National Software Reference Library (NSRL) provides a
repository of known software, file profiles, and file signatures for use
by law enforcement and other organizations in computer forensics
investigations. Industry Need Addressed: Investigation of computer files
requires a tremendous effort to review individual files. A typical
desktop computer contains between 10,000 and 100,000 files, each of
which may need to be reviewed. Investigators need to eliminate as many
known files as possible from having to be reviewed. An automated filter
program can screen these files for specific profiles and signatures. If
a specific file's profile and signature match the database of known
files, then the file can be eliminated from review as a known file. Only
those files that do not match would be subject to further investigation.
In addition, investigators can search for files that are not what they
claim to be (e.g., the file has the same name, size, and date of a
common file, but not the same contents) or files that match a profile
(e.g., hacking tools).



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ