Trojan horse Downloader.Generic.ML

Discussion in 'Computer Security' started by Ron Reaugh, Jun 15, 2005.

  1. Ron Reaugh

    Chris Salter Guest

    Obviously they could come around your house and check. Or they could
    setup remote cameras/antennas to check. Not exactly cost-effective.

    Go and find all the relevant RFCs (NAT, ethernet, wireless bridging) etc
    and show me how they could detect it? To all intense purposes all the
    ISP sees is the traffic from ISP <-> Router. (This isn't strictly true
    of course. BUT routers could obfuscate the client data if need be or
    you could use local proxies).
     
    Chris Salter, Jun 22, 2005
    1. Advertisements

  2. Ron Reaugh

    Roger Wilco Guest

    I knew Sophos did from a whitepaper by them I had read. Others' I wasn't
    so sure about. They could still use extension based exclude lists for
    the control program (don't even look at files named *.txt,
    pagefile.sys...) but it makes me wonder whether files with extensionless
    filenames can hide from other security schemes this way. I have only
    seen 'include' lists with reference to filetype blocking (when someone
    asks what filetypes by extension he or she should be concerned with
    allowing in by for instance e-mail).
     
    Roger Wilco, Jun 22, 2005
    1. Advertisements

  3. Ron Reaugh

    Roger Wilco Guest

    That's what I thought, thanks.

    The on-access (and to some extent the on-demand) should not be telling
    you "this may contain this or that" but rather that "you might not want
    to execute this because this or that may execute as well" - if it is
    non-executable then there would be no point in warning about the
    possible consequences of executing it. If people want to know if a
    threat will exist if they extract and execute the contents of a
    container or text file , that would be fine for an on-demand option but
    might be a problem for on-access. The advent of malformed archive file
    exploits could have used this on-accesslike e-mail scanning
    functionality to auto-spread. Why do such an unneeded thing when it
    increases complexity and hence risk.
     
    Roger Wilco, Jun 22, 2005
  4. Ron Reaugh

    Art Guest

    In some cases, though, I think certain illegal activities could be
    traced without much difficulty. My ISP happens to be owned by the
    telephone company. Take a different kind of case where idiots give
    away their user name and password to friends. On dialup, there is the
    correlation to telephone # to work with. And telcos may cooperate
    with ISPs on this sort of thing in the more general situation.

    In my case with DSL service being supplied by, in effect, the telco,
    I'm not so sure my line and others couldn't be tracked by the telco if
    I was crazy enough to give away my user name and passwiord ... or if
    it was a wireless crack that did the evil deed.

    I dunno, but it's along these lines that I have in mind ...
    cooperation betrween telcos and ISPs to track down this sort of crap.

    In talking to some young people and listening to their conversations,
    I get the impression that many don't care one whit about any of this,
    and all kinds of illegal stuff is going on ... and there is
    practically no use use made of even the available security measures.
    If things get bad enough, you can damn betchum there will be
    crackdowns, in spite of the apparent technical difficulties in finding
    and booting off these characters :)

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 22, 2005
  5. Ron Reaugh

    Zvi Netiv Guest

    The discussion is about plain integrity checkers versus AV adapted integrity
    checkers/restorers. See <>

    Regards, Zvi
     
    Zvi Netiv, Jun 23, 2005
  6. Ron Reaugh

    kurt wismer Guest

    i'm wondering how you think they could even detect that... the network
    traffic that they see will all have the IP address of the router, not
    the machines connecting to it - and even if they could tell there were
    multiple machines connecting to a router there's no way to tell what
    medium was used for the connection...
     
    kurt wismer, Jun 23, 2005
  7. Ron Reaugh

    kurt wismer Guest

    Art wrote:
    [snip]
    in the case of wireless freeloading it would be as if they were all
    using the same phone - no help there...
     
    kurt wismer, Jun 23, 2005
  8. Ron Reaugh

    kurt wismer Guest

    i'm talking about existence - you're talking about prevalence... that is
    not a useful tangent...

    [snip]
    and on this point we diverge again - plain integrity checkers belong to
    a much broader class of diagnostic tool than anti-virus programs so i
    have no expectation that they should only take into account those events
    that anti-virus products are concerned with...
    and why would anyone be using *just* an integrity checker?

    a clever application of clean booting, backups, and integrity checking
    would allow one to trace the generation of viral offspring in most cases
    (the exception being those cases where you cannot coax the 'infected'
    file to produce offspring)...
    whatever - i suspect sophos' success has more to do with the fact that
    the market treats disinfection like an afterthought - people are far
    more concerned with prevention and on that criteria sophos compares
    favourably with the competition...
    then it is a) flawed (as overwriting infectors *are* viruses according
    to just about every definition i've seen other than yours), and b) a
    non-sequitur (as integrity checkers are for more than just detecting
    viruses - there's this little thing people sometimes call a payload)...
     
    kurt wismer, Jun 23, 2005
  9. Ron Reaugh

    kurt wismer Guest

    on top of warhol worms there are also the plain ordinary trojans which
    are now able to be spread far and wide enough by manual labour as to
    become a significant enough problem for anti-virus products to change
    their focus...
    overwriters are viruses by cohen's formal *and* informal definitions...
    if zvi wants to use his own definitions, he's free to do so but the
    discussion won't go very far...

    [snip]
    ugg - pdfs...

    how about http://all.net/books/integ/japan.html

    -------------
    In 1984, the first experiments with `Computer Viruses' as we know them
    today were performed. [1] To quote this paper:

    ``We define a computer `virus' as a program that can `infect'
    other programs by modifying them to include a possibly evolved copy of
    itself.''

    These `Viruses' had many implications for integrity maintenance in
    computer systems, and were shown to be quite dangerous, but their
    potential for good was also introduced. A practical virus which reduced
    disk usage in exchange for increased startup time was described, and
    this technique that is now commonplace in personal computer systems. A
    formal definition for viruses, which for mathematical reasons
    encompasses all self-replicating programs and programs that evolve and
    move through a system or network, was first published in 1985. [4] This
    encompassed many of the worm programs under the formal umbrella of
    computer viruses. This work also pointed out the close link between
    computer viruses and other living systems, and even melded them into a
    unified mathematical theory of `life' and its relationship to its
    environment. These experiments were terminated rather forcefully because
    they were so successful at demonstrating the inadequacy of contemporary
    computer security techniques, that administrators came to fear the
    implications.
     
    kurt wismer, Jun 23, 2005
  10. Ron Reaugh

    Art Guest

    You're thinking "inside the box" again. Try using a little imagination
    and creativity.

    For xDSL, high gain rotary antennas at every telco office sweeping a
    radius of up to four miles ... backed up with digitial cracking sw ...
    should do the trick very nicely.

    In my geographical region where the only ISP offering xDSL is owned by
    the telco, such monitoring boxes don't seem very far fetched or even
    very futuristic. They could be produced in volme at relatively low
    cost. More futuristically and generally, I envision close cooperation
    between telcos (who have an interest in this as well) and ISPs.

    Cable providers will want to jump on this bandwagon as well ... and
    they will help defray the costs of monitoring in return for the info
    provided.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2005
  11. Ron Reaugh

    Chris Salter Guest

    Sigh....

    How would the Telcos prove that the wireless signal they have found is being used by

    a) their customer
    b) carries internet access on it and
    c) being used illegally

    I have wireless in my house, its has nothing to do with my ISP what I do with my wireless signals, or what my wireless signals carry.
    Suggesting that ISPs/Telcos have the right to sniff and crack communications is utterly mad.
     
    Chris Salter, Jun 23, 2005
  12. Ron Reaugh

    Art Guest

    Not necessarily. I can envision individual line locater technology
    used by telcos to track down xDSL abusers.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2005
  13. Ron Reaugh

    Art Guest

    Sigh back :)
    By pinpointing (to some extent) their geographical location and doing
    a bit of detective work.
    By the nature of the rf signals, obviously, and packet content once
    cracked.
    See above.
    Not if you're freeloading ISP service. You're safe for now only if you
    use strong WAP.
    Methinks thou protesteth to much. You must have something to hide.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2005
  14. Ron Reaugh

    Chris Salter Guest

    I'm not freeloading anything, my wireless network carries MY network data.
    I have *lots* to hide. Obviously you don't. Please post all your personal details,
    social security, CC numbers, friend details, telephone numbers, passwords, email address onto usenet.
     
    Chris Salter, Jun 23, 2005
  15. Ron Reaugh

    Art Guest

    You do have a funny ISP indeed that doesn't require thar a user name
    and password be sent for email and newsgroup access. With a cracked
    WEP (or none at all) that's one item of several that can be sniffed.
    So you do pay for ISP service then. Splendid :) Many don't. And I'm
    sure many freeloaders can be found ... and the idiots who give their
    ISP access away to others.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2005
  16. Ron Reaugh

    Chris Salter Guest

    My wireless network is NOT connected to the internet FULL STOP. No passwords or usernames
    are sent through the air.
    So what? Cracking and sniffing are (in the UK at least) illegal. You think telco are above the
    law? You think they have a right to go and crack into my network? You think they have the right
    to the details of my myself and my family? You think they should be allowed to listen to my phone
    calls, open my mail, come around and plug into my network?
    I'm on cable and yes I do pay. Obviously you believe that a minority breaking the law gives
    companys a legal right to break it as well? Or you believe we should all live in a nanny state?
     
    Chris Salter, Jun 23, 2005
  17. Ron Reaugh

    James Egan Guest

    It all gets added onto the account holder's download limit and they
    will be charged accordingly.

    Over here, most ISP's are moving away from unlimited access accounts.
    Mine used to be unlimited but now has a cap of 30GB per month though
    they did offer the sweetener of a 2Mb download speed instead of 1Mb at
    no extra cost.

    There's no way ISP's are going to hack into wireless networks on the
    off chance of catching a freeloader. They're in the business for the
    money and any misuse can easily be contained by the application of
    download limits or surcharging for going over allowed limits.


    Jim.
     
    James Egan, Jun 23, 2005
  18. Ron Reaugh

    Art Guest

    I think you're probably right for once :)

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2005
  19. Ron Reaugh

    kurt wismer Guest

    to detect wireless signals (maybe), but not to determine whether the
    owner of the wireless access point is ok with the connections being made...

    of course i'm pretty sure such 'listening posts' will run afoul of some
    kind of privacy law... i discounted them for precisely that reason...
     
    kurt wismer, Jun 24, 2005
  20. Ron Reaugh

    Zvi Netiv Guest

    Being a producer, my focus is on the practical aspects, of course.

    [...]
    I have no interest in general purpose integrity checkers, only in those offered
    as AV tools, like Integrity Master, which you brought to the discussion.

    [...]
    Where do I claim that anyone should? In case you forgot, the approach that I
    promote is generics and consists of the use of *multiple* and individually
    *generic* methods, used *simultaneously*, and mutually *independent*. See
    www.invircible.com/papers/IV4Enterprise.pdf
    You are demanding far too much from the common user.

    [...]
    You assume sophistication where there is none. The limited success of Sophos in
    their local market (UK) is due to concentrating on the corporate niche and not
    wasting efforts on the consumers market.

    [...]
    An overwriting infector in researchers' terminology, and what you believe they
    mean by that, are totally different things. To that category (overwriting
    infectors) belong cavity infectors, like Lehigh (a DOS infector of command.com)
    and CIH (PE infector). Cavity infectors conform to the definition of "virus" as
    brought above, to the word. The part of the host file that is overwritten by
    the virus is an unused section, nothing functional of the pre-infected file is
    overwritten, and hence, nothing of the original code is lost.

    A program that overwrites the host indiscriminately may be called an overwriter,
    but not infector, maybe a Trojan. Hence, your "overwriting infector" is
    fiction, no such thing exists.

    As to genuine overwriting *infectors*, they respond to the same processing as
    ordinary parasitic infectors do, i.e. they can be disinfected by cleaner
    procedures, or generically restored from integrity signature.

    Regards, Zvi
     
    Zvi Netiv, Jun 24, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.