lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: frank at knobbe.us (Frank Knobbe)
Subject: MyDoom bios infection

On Thu, 2004-01-29 at 14:45, Juari Bosnikovich wrote:
> It appears that what I called sooner a BIOS BackDoor is more of a
> Microsoft Windows exploit. When the infected machine boots for the
> SECOND
> time AFTER febuary 12 it is injecting a malicious program in the
> Windows
> installation that downloads a new version of Mydoom which will
> probably be
> called Mydoom.c after it's discovery.

In other words, it has nothing to do with the systems BIOS? If that was
a mishap in naming it then that's ok. Apology accepted.

> I understand the point of vue of unbeleivers but unfortunately it is
> very
> CLEAR to me that they did not conduct their own research concerning
> this
> VERY destructive virus.

Personally, I don't believe or disbelieve anyone since I haven't looked
at that virus. But I have two things to say:

1) Anyone doing disassembly/analysis of any sort of thing has to be more
precise in the analysis and not jump to conclusions. 

2) (and in reply to)
> As a reminder to the various persons which contacted me privately via
> email and to whom I shared more information PLEASE keep it private.

Full Disclosure is a about... uhm... Full Disclosure. Please don't tease
us with the things you may have found without publicly disclosing and
sharing information.

I understand that in certain cases you don't want the public to know
(for example, when you analyze code and share information with folks,
including LEOs, where that information might lead to an arrest, or for
other reasons that require confidentiality). Full Disclosure was and is
about disclosing bugs in vendor provided software. I don't think it was
intended as an analyze-fraud type forum. If you like to contribute to
that, contact your local Infragard chapter or law enforcement agency or
the like, and operate outside of public view.

If you want to dissect viruses to help the community and public at
large, and you want to do this here (instead of quietly with AV
vendors), then please share and disclose the information.

Can we stop all that chest-pounding and return to normal FD business?
I'll go first: Anyone find the IE exploit of the day yet? ;)

Cheers,
Frank


PS: This rant is not directed against Juari Bosnikovich. I applaud his
motivation and effort to dissect the virus. My rant is against those
that proclaim they found information without sharing it. FD is not the
right place for those folks. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040129/1098eae7/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ