Re: [Full-Disclosure] National Database of Variants with Fixes-non-vendor specific
From: Rainer Duffner (rainer_at_ultra-secure.de)
To: John Hall <email@example.com> Date: Wed, 11 Aug 2004 23:55:40 +0200
Am Mi, 2004-08-11 um 22.03 schrieb John Hall:
> No, seriously, I wouldn't put it past our current administration
> and the tinfoil hat wearers at the FBI (yes, they got theirs too)
> or worse, the jackboot wearers at the FBI (and elsewhere at the fed),
> to fantasize about pushing such a dictum upon the US AV vendors (not
> even crediting that a significant portion of the AV market is held
> by non-US vendors), but realistically, it seems unlikely they'd be
> successful in such an approach.
Just take the Airline passenger screening as an example.
Even European Airlines have to comply to rules and regulations that
clearly violate European Data Protection Standards (and laws !!!).
But what happens ? Nothing, everybody silently complies, because in the
end, people just want to fly and airlines want to give passengers that
warm fuzzy feeling about security...
(And the US threatened to terminate all landing-permissions for all
airlines that wouldn't comply. Most (almost all actually) caved in)
I'd like some members of the European commision who voted in favor of
this approach be given a full body cavity search in a US-airport because
they ticked "no pork" on their menu-card for the flight (and really only
wanted to say that they are vegetarians and started an argument with
customs about this fact) ....
Then perhaps they'd know how dangerous this whole thing is.
Ahem. Back on topic:
Such an approach would be very successful, because probably nobody can
ignore the US-AV-market.
No comply = No sale. It's simple as that (I guess).
> Going even further off-topic (par for the course for FD), does
> anyone have any ideas how they might create such a trojan (there
> seems to be no mention of self-replication in any of the articles)
> that could be recognized and ignored by AV software, but prevent
> others from using the same methodology to shield their malware?
Easy. Just make it part of the operating system kernel (i.e. Windows).
It's probably more of a root-kit than a trojan.
If it's done well enough (and I trust certain 3-letter-acronym-bodies of
the US administration to be able to do that _very_ well) AV-products
wouldn't even be able to detect it even if they wanted to.
So persuading some shitty AV-vendors not to detect a kernel trojan that
probably uses an API that came with the OS anyway seems pretty simple.
The signature-format of all AV-products (execpt clam-av) is closed
anyway - the sigs are probably even encrypted for added security.
It's just like normal wiretapping: everybody (every Telco) does it, and
nobody likes to talk about it, because it would be bad for the business
and scare-off customers.
That's also why I don't trust AV-products more than for detecting Joe
Scriptkiddy's selfmade virus of yesterday (and even that they do just
Anyway, the discussion is really pretty pointless, I admit, because
nobody can prove either side. People like me will attribute the fact
that no one has found such a beast (magic lantern) in the wild to the
fact that it's really well hidden, whereas other people ("occams razor"
anybody?) will simply point out that is doesn't exist.
PS: Jesus, they even have a wikpedia entry for that:
-- =================================================== ~ Rainer Duffner - firstname.lastname@example.org ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ =================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html