Re: Trojan horse Downloader.Generic.ML

From: kurt wismer (kurtw_at_sympatico.ca)
Date: 06/23/05


Date: Wed, 22 Jun 2005 23:34:13 -0400

Zvi Netiv wrote:
> kurt wismer <kurtw@sympatico.ca> wrote:
>> Zvi Netive wrote:
>>> kurt wismer <kurtw@sympatico.ca> wrote:
[snip]
>>>as malware can make arbitrary changes, processing the entire file is
>>>>required... if you're only worried about parasitic infection then sure,
>>>>for some types of files you may only need to check a subset of the
>>>>entire file, but integrity checkers aren't *just* for detecting that
>>>>sort of thing...
>>>
>>>Malware doesn't make arbitrary changes, full stop.
>>
>>so data diddlers don't exist?
>
> Not really, and there are good reasons why not. The most famous data diddler,
> is the now extinct Ripper boot virus.

i'm talking about existence - you're talking about prevalence... that is
not a useful tangent...

[snip]
>>>That's a fallacy that has
>>>been nurtured by ignorance, fools (e.g. Lambdin, with his unsolicited CRCs), and
>>>AVers that had an interest that users assimilate that nonsense.
>>
>>what i said is technically correct... malware *can* make arbitrary
>>changes - there may not yet be a malware instance that changes bytes X,
>>Y, or Z in a file but there's nothing preventing one from being made...
>>
>>there is malware the corrupts and/or destroys data - you can contest the
>>existence of such malware if you like, but you'd be tilting at windmills...
>
> Only a fool will claim that there exist no malware that corrupts data, but a
> producer must really have no sense to optimize an AV product for such rare
> singularity.

and on this point we diverge again - plain integrity checkers belong to
a much broader class of diagnostic tool than anti-virus programs so i
have no expectation that they should only take into account those events
that anti-virus products are concerned with...

> [...]
>
>>>You are actually saying the same thing, but from a different angle: Users were
>>>incapable to tell on base of the plain integrity change whether it was caused by
>>>virus or was benign.
>>
>>actually, i don't think they are the same thing... i don't believe users
>>are incapable of such, i believe they are unwilling...
>
> I am both willing and experienced, but unable to tell viral from benign if all
> that I could use was Stiller's Integrity Master.

and why would anyone be using *just* an integrity checker?

a clever application of clean booting, backups, and integrity checking
would allow one to trace the generation of viral offspring in most cases
(the exception being those cases where you cannot coax the 'infected'
file to produce offspring)...

> [...]
>
>>>>there are those who feel that programmatically restoring
>>>>infected/corrupted objects to their original state is a losing
>>>>proposition... some anti-virus vendors (like sophos) don't offer virus
>>>>disinfection for most file infecting viruses because of this philosophy...
>>>
>>>Again, part of the above is propaganda, that was cultivated by interested
>>>parties.
>>
>>sophos used propaganda to justify being a less attractive option? that
>>really doesn't make a whole lot of business sense... you (the general
>>you) can't claim that action X can't be done satisfactorily so you won't
>>do it and expect potential customers to accept that when most other
>>vendors provide products that do perform action X...
>
> Sophos decision to not disinfect was a business decision, and the "ideology"
> attached to was propaganda. Fact that it worked!

whatever - i suspect sophos' success has more to do with the fact that
the market treats disinfection like an afterthought - people are far
more concerned with prevention and on that criteria sophos compares
favourably with the competition...

>>> The fact is that DOS objects, all types, were recovered through
>>>integrity methods to their *exact* original state, to the byte, including the
>>>time and date stamp.
>>
>>you can't recover overwritten objects merely from an integrity
>>fingerprint...
>
> You seem having forgotten the very basics of virus and antivirus technology.
> Here is a brief reminder (state of the art ca '95) :
>
> The definition of virus ( www.invircible.com/glossary.php ) is: "A virus is
> parasitic computer code that replicates by producing functional copies of itself
> into host files. The infected hosts inherit the replication ability of the
> affecting virus, in addition to maintaining the original functionality of the
> host program or file."
>
> The last part requires that everything that was contained in the program in its
> preinfected state, be still there, plus the necessary changes made by the virus
> to incorporate its own code in the program flow. A direct deduction is that all
> virus infections are theoretically reversible, by reverting the changes made to
> the program, and since nothing from the original code was lost. This is, in a
> nutshell, the entire theory on which virus disinfection and recovery is based
> upon.

then it is a) flawed (as overwriting infectors *are* viruses according
to just about every definition i've seen other than yours), and b) a
non-sequitur (as integrity checkers are for more than just detecting
viruses - there's this little thing people sometimes call a payload)...

-- 
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"