Re: Trojan horse Downloader.Generic.ML

From: Arthur Hagen (art_at_broomstick.com)
Date: 06/22/05 

Date: Wed, 22 Jun 2005 09:29:26 -0400

Zvi Netiv <support@replace_with_domain.com> wrote:
>
> The definition of virus ( www.invircible.com/glossary.php ) is: "A
> virus is parasitic computer code that replicates by producing
> functional copies of itself into host files. The infected hosts
> inherit the replication ability of the affecting virus, in addition
> to maintaining the original functionality of the host program or
> file."
>
> The last part requires that everything that was contained in the
> program in its preinfected state, be still there, plus the necessary
> changes made by the virus to incorporate its own code in the program
> flow. A direct deduction is that all virus infections are
> theoretically reversible, by reverting the changes made to the
> program, and since nothing from the original code was lost. This is,
> in a nutshell, the entire theory on which virus disinfection and
> recovery is based upon.

You forget that a virus can *replicate* the functionality of a program
without keeping it, in which case there's nothing to revert back to.
This is most certainly true for most boot virus, and also some file
virus do this.

> As to disinfection vs integrity restoration, everything disinfection
> can do, restoration will do better, and much of what restoration will
> do, can't be done by disinfection at all (like disinfection from
> highly polymorphic viruses, or from new ones).

Or disinfection where the original is not retained at all.

>>> Let's extend the above now: Real-time AV optimized integrity
>>> checkers can detect an infection and block execution of that
>>> object. When implemented properly, real-time integrity monitoring
>>> is nearly infallible at detecting viral changes in monitored files.
>>
>> i'm afraid i'm not yet convinced of that...
>
> I didn't expect you will, yet ... ;)

The problem is with the word "nearly". Just for fun, place the eicar
test string in an NTFS or XFS stream for a file, and see how many
"properly implemented" real time integrity monitors will catch it. Or
do a prelink/requickstart of executables and libraries and see how many
of the monitoring programs that will go nuts because the files have
changed.

(So far I know of only *one* AV product that breaks down a file into
different hunk types and only scans the relevant bits. And it doesn't
do monitoring. And only *one* product that checks streams, and it's not
an AV product, but an anti-spyware product.)

Regards, 

-- 
*Art

Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... > virus is parasitic computer code that replicates by producing ... > functional copies of itself into host files. ... > inherit the replication ability of the affecting virus, ... You forget that a virus can *replicate* the functionality of a program ...
    (comp.security.firewalls)
  • Re: Weight Watching
    ... health of the host this would lead to very low levels of infection. ... to say that "it's not in the interests of the virus to kill off ... process of evolution per se. ... a virus is formed that is able to spread to ...
    (uk.rec.motorcycles)
  • Re: Weight Watching
    ... virus' interests to kill off its hosts too quickly so it will tend to ... so why would a less virulent form ... it may take some time but at an earlier stage it can weaken the host ...
    (uk.rec.motorcycles)
  • Re: What to do about Islam?
    ... Influenza would control the AIDS epidemic. ... AIDS sufferers and IV drug users have a weakened ... virus to yet another deadly virus might produce a few ... and a disease which kills its host is a failure. ...
    (rec.org.mensa)
  • A question for the list...
    ... to virus infections that have affected networks and hosts. ... attempts to remove the virus from the host. ... I have read the reports correctly, ...
    (Incidents)