lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1233378723.20070122201340@SECURITY.NNOV.RU>
Date: Mon, 22 Jan 2007 20:13:40 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "lsi" <stuart@...erdelix.net>
Cc: Full-disclosure@...ts.grok.org.uk
Subject: Re: detecting targetted malware

Dear lsi,

This  approach  is  already  implemented,  at  least partially, to limit
functionality  of  unknown  applications.  It  can  be found in multiple
personal firewalls or things like http://www.securesize.com/GeSWall/

There  is  a better approach - every "good" application should be signed
and  unsigned  applications are not allowed to run. But any approach has
it's  weakness.  Malware  code should not necessary be an executable. It
can  be  html, doc, pdf, jpg, gif - anything that contain data processed
by  some  trusted application. Can you make signature or sign every html
or gif?

-- 
~/ZARAZA
http://security.nnov.ru/


--Monday, January 22, 2007, 3:42:43 PM, you wrote to Full-disclosure@...ts.grok.org.uk:

l> This is probably patented and implemented already but nonetheless its
l> a new idea for me, so I mention it...

l> While mass-produced malware remains an issue for a most users, an 
l> significant threat is also posed by malware customised for a specific
l> victim (so called 'targetted malware').  This threat is potentially 
l> worse as an organisation cannot rely on traditional AV or anti- 
l> spyware scanners to detect the targetted malware; as the malicious 
l> code is customised it does not have an entry in AV/AS signature 
l> databases.

l> Despite this, detecting customised code should be easy.  All that's 
l> needed is a scanner.  It simply finds every piece of executable code 
l> on a system.  It then compares each piece with its list of known-good
l> executables.  Any executable that is found but is not on the list is 
l> an intruder.

l> This approach takes advantage of the fact that, unlike spam, we can 
l> make a list of all our known-good items.

l> Stu

l> ---
l> Stuart Udall
l> stuart at@...erdelix.dot net - http://www.cyberdelix.net/

l> --- 
l>  * Origin: lsi: revolution through evolution (192:168/0.2)

l> _______________________________________________
l> Full-Disclosure - We believe in it.
l> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
l> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ