Mind boggler

[Art]

Here's the source:

http://www.cert.org/tech_tips/malicious_code_FAQ.html

and here's a cut and paste from the source:

*************************************
Attackers may be able to use malicious scripts to infect cookies
with copies of themselves. If the infected cookie is sent back
to a vulnerable web site and passed back to your browser, the
malicious script may start running again. Note: This is not a
vulnerability in web cookies; rather, a malicious script takes
advantage of the functionality of cookies.
*************************************

Hmmm. A cookies.txt file "infected". Who says scanning text
files is dumb

What do they mean by "vulnerable" web site? Vulnerable to
what exactly?

What kind of script? Javascript? VBS? Java? .BAT? Passed
back to what in the browser? A javascript interpreter? Java
interpreter? How, if it's in the form of a cookie, does it get
interpreted in that way? How would the OS get a chance
to run it if the script is VBS or BAT?

What exactly is malicious javascript? Or malicious Java? There
are sometimes unpatched vulnerabilities in these, but otherwise
what is the potential extent of damage or intrusiveness attainable
by the black hats via these scripts on a web site? Certainly root
access can't be attained short of a unpatched vulnerabilty?

I'm so confused by this, I'm not even going to ask if this might
be a "cookie virus" capable of spreading to various PCs on the
internet. Next thing you know, arguments will break out over
whether or not it's actually a worm, hybrid worm/virus, or
just a Trojan

Art
http://home.epix.net/~artnpeg

 

[Jake Dodd]

Here's the source:

http://www.cert.org/tech_tips/malicious_code_FAQ.html

and here's a cut and paste from the source:

*************************************
Attackers may be able to use malicious scripts to infect cookies
with copies of themselves. If the infected cookie is sent back
to a vulnerable web site and passed back to your browser, the
malicious script may start running again. Note: This is not a
vulnerability in web cookies; rather, a malicious script takes
advantage of the functionality of cookies.
*************************************

Hmmm. A cookies.txt file "infected". Who says scanning text
files is dumb

Their terminolgy is bad IMO. As with your earlier observation about worms
and viruses. I did a search for Gael and found an AV (McAfee I think) page
that stated something like "This is a file infecting worm...". Bottom line, better
get used to these people keeping the prospective market confused about what
is what. I'm not saying the page was wrong though. only that their attempt to
keep virus and worm seperate is wrong-headed.

As for the current 'mind boggler', the key here is that the cookie (text file) is
no different than a script, in fact the malicious script is a virus that alters the
cookie by placing itself there. This is known as "indirect infection" and applies
to any source code infections from script 'source code' for interpreting to
HLL or 4GL 'source code for compiling. Text files are not infectable but the
program they (may) represent, is. Email and cookies are not infectable, but
the program(s) they may contain. are.

What do they mean by "vulnerable" web site? Vulnerable to
what exactly?

Not clear to me really, but I suspect they are talking about reflection attacks
where a cookie with malicious scripting becomes executed if a vulnerable site
is able to pass it back to the client without due validation.

What kind of script? Javascript? VBS? Java? .BAT? Passed
back to what in the browser? A javascript interpreter? Java
interpreter?

They are probably referring to the scripting supported by the browser.

How, if it's in the form of a cookie, does it get
interpreted in that way? How would the OS get a chance
to run it if the script is VBS or BAT?

They are probably implying a vulnerability like XSS or 'marked as safe'
flaws.

What exactly is malicious javascript? Or malicious Java? There
are sometimes unpatched vulnerabilities in these, but otherwise
what is the potential extent of damage or intrusiveness attainable
by the black hats via these scripts on a web site? Certainly root
access can't be attained short of a unpatched vulnerabilty?

I think you are right. The developers have been trying real hard to
make it safe to allow websites to run code on your computer, and
this article cautions against having this functionality at that point in
time. I still agree with you about scripting and ActiveX or Java
disabled. Many of the patches issued have dealt with problems
in securing this mobile code with the browser.

I'm so confused by this, I'm not even going to ask if this might
be a "cookie virus" capable of spreading to various PCs on the
internet.

Well, if you can accept "email virus" then you should be able to accept
"cookie virus" because it is the same thing - a virus infection of a program
that "might" be contained within these files. When you get right down to it,
the .bat virus is the same except that batfiles go well beyond the "might"
contain a program stipulation - they are expected to.

Next thing you know, arguments will break out over
whether or not it's actually a worm, hybrid worm/virus, or
just a Trojan

What do you think it is? I say it is a virus "if" the cookies are destined
(for some reason) to be interpreted as scripts. Otherwise it is just a
text (cookie) file corruptor bomb.

 

[Art]

Their terminolgy is bad IMO. As with your earlier observation about worms
and viruses. I did a search for Gael and found an AV (McAfee I think) page
that stated something like "This is a file infecting worm...". Bottom line, better
get used to these people keeping the prospective market confused about what
is what. I'm not saying the page was wrong though. only that their attempt to
keep virus and worm seperate is wrong-headed.

Yes, we've had many discussions on this subject on a private list.
Much of the stuff that appears on av vendor sites is obviously not
written by the av researchers and experts. There are many bloopers
and just plain wrong information out there. Not to mention the screwy
and outdated alerts of many av that call all malware "virus".

As for the current 'mind boggler', the key here is that the cookie (text file) is
no different than a script, in fact the malicious script is a virus that alters the
cookie by placing itself there. This is known as "indirect infection" and applies
to any source code infections from script 'source code' for interpreting to
HLL or 4GL 'source code for compiling. Text files are not infectable but the
program they (may) represent, is. Email and cookies are not infectable, but
the program(s) they may contain. are.

Of course, but it's not clear to me that the cookie itself is viral
(see below).

Not clear to me really, but I suspect they are talking about reflection attacks
where a cookie with malicious scripting becomes executed if a vulnerable site
is able to pass it back to the client without due validation.

I don't see how the cookie gets executed (interpreted) by the script
interpreter(s). Cookies are supposed to be independent of that.
Aren't they???

They are probably referring to the scripting supported by the browser.

I think so too.

They are probably implying a vulnerability like XSS or 'marked as safe'
flaws.

Again, how in the hell does a cookie script get executed by a browser?
Doesn't make sense to me.

I think you are right. The developers have been trying real hard to
make it safe to allow websites to run code on your computer, and
this article cautions against having this functionality at that point in
time. I still agree with you about scripting and ActiveX or Java
disabled. Many of the patches issued have dealt with problems
in securing this mobile code with the browser.


Well, if you can accept "email virus"

I don't. I accept email worm

then you should be able to accept
"cookie virus" because it is the same thing - a virus infection of a program
that "might" be contained within these files. When you get right down to it,
the .bat virus is the same except that batfiles go well beyond the "might"
contain a program stipulation - they are expected to.

You're still not addressing the question I have. How in the hell or
why in the hell would a browser interpret a script in a goddam
cookie!?

What do you think it is? I say it is a virus "if" the cookies are destined
(for some reason) to be interpreted as scripts. Otherwise it is just a
text (cookie) file corruptor bomb.

Replication is required of a virus. It must create (possibly modified)
copies of itself (intentionally). If the cookie manages to somehow
copy itself elsewhere it would a virus. It's not clear to me from what
was written that that is what's going on.

And for the sake of terminology, only viruses infect. Other malware
"infests" or "compromises" ... though that terminolgy isn't
necessarily that of all experts (which I'm not). It's mainly a
preference of mine after giving the subject of terminology some
thought. I suppose I'd be ok with worms "infecting" as well, but
I've managed to develop a "thing" about only viruses infecting.

To hell with it. It's all just malware

Art
http://home.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, Art, ([email protected]) said...

You're still not addressing the question I have. How in the hell or
why in the hell would a browser interpret a script in a goddam
cookie!?

Because the Browser is named Internet Explorer, can run ActiveX, and
the cookie is large enough to overwrite a heap or buffer?

I've seen pages (with my Opera browser, which alerts me for every
cookie), that try to write extremely long cookies, with unintelligible
characters (like /1/p/1/p and so on), which were probably longer than
300 characters.


Gabriele Neukam

(e-mail address removed)

 

[Art]

On that special day, Art, ([email protected]) said...


Because the Browser is named Internet Explorer, can run ActiveX, and
the cookie is large enough to overwrite a heap or buffer?

That's one way ro make sense out of the article. But nothing is really
clear clarified by it IMO. It winds up being unintelligible
gobledygook

I've seen pages (with my Opera browser, which alerts me for every
cookie), that try to write extremely long cookies, with unintelligible
characters (like /1/p/1/p and so on), which were probably longer than
300 characters.

You can, if you wish, avoid the annoying alerts in Opera by making
its cookies file read only after getting it the way you want it. That
adds some measure of security as well.

Art
http://home.epix.net/~artnpeg

 

[Jake Dodd]

I don't see how the cookie gets executed (interpreted) by the script
interpreter(s). Cookies are supposed to be independent of that.
Aren't they???

What confuses you is probably what they are not saying specifically. They are
talking in generalities about vulnerabilities in browsers and web servers.

http://www.cert.org/advisories/CA-2000-02.html

This scenario (the cookie idea) domes from:

Excerpt

***
Attacks May Be Persistent Through Poisoned Cookies

Once malicious code is executing that appears to have come from the authentic web site, cookies may be modified to make the attack
persistent. Specifically, if the vulnerable web site uses a field from the cookie in the dynamic generation of pages, the cookie may
be modified by the attacker to include malicious code. Future visits to the affected web site (even from trusted links) will be
compromised when the site requests the cookie and displays a page based on the field containing the code.

***

Again, how in the hell does a cookie script get executed by a browser?
Doesn't make sense to me.

The malicious script cookie is mishandled by the web server in such a way as to
have it parsed by the browser. For the browser (and the cookie) it is an abuse
of functionality, but for the server it is mishandling of (*untrusted) data being
passed back unvalidated. Just because this website created the cookie does
not mean that when passed back it should be trusted.

I don't. I accept email worm

Then it's a "cookie worm". )

You're still not addressing the question I have. How in the hell or
why in the hell would a browser interpret a script in a goddam
cookie!?

The quoted material from CERT explains that. The script comes from the
server because the server uses the data from the cookie it is passed in its
web page contruction.

Since it only (re)infects the client, its kind of a boomerang effect. New
malware category - cookie borne boomerang virus. )

Replication is required of a virus. It must create (possibly modified)
copies of itself (intentionally).

Programmers can have intent, but not programs - they just do what they do.

If the modified cookie (script) is able to establish another instance of the
program that created it, it is a virus by some definitions. The idea of some
"program" needing to be "infected" for it to be a virus is kinda silly. It creates
functional copies of itself that will be interpreted as a program due to the
flaw being exploited. The cookie is how it gets transported to the vunlerable
server and the browser is how it attaches to program code on return.

If the cookie manages to somehow
copy itself elsewhere it would a virus. It's not clear to me from what
was written that that is what's going on.

It is able to reinstantiate the program that created itself (recursion).

 

[Art]

I'm just going to respond to a portion of your post since I've
completely lost interest in speculating about the Cert article.

Programmers can have intent, but not programs - they just do what they do.

Frisk's definition of a virus includes intent in order to exclude
certain accidents which can occur with legit non-viral code. In
practice you don't have a antivirus product alerting on some legit
program that might replicate. See my article for Frisk's definition
and look at clause #2 and the reason for it:

http://home.epix.net/~artnpeg/VW.html

If the modified cookie (script) is able to establish another instance of the
program that created it, it is a virus by some definitions. The idea of some
"program" needing to be "infected" for it to be a virus is kinda silly.

That's not what I said. I said viruses infect, which is quite a
different thing. Trojans don't infect. I see nothing silly at all
about making that distinction. It's all part of a sort of campaign
(as I see it) to get people to quit calling all malware "virus".
Saying that Trojans and spyware "infest" and only viruses
"infect" may seem silly to some, but to me, any and all ways
we can emphasize that viruses replicate and Trojans and spyware
do not has some "good propaganda" value

Art

http://home.epix.net/~artnpeg

 

[Ant]

:

[snip]

http://www.cert.org/advisories/CA-2000-02.html
[...]

You're still not addressing the question I have. How in the hell or
why in the hell would a browser interpret a script in a goddam
cookie!?

It wouldn't, directly.

The quoted material from CERT explains that. The script comes from the
server because the server uses the data from the cookie it is passed in
its web page contruction.

Exactly. An exploit would depend on two factors in addition to your
browser allowing cookies and scripting:
1) A user's stored cookie for a site would first need to be altered.
2) That site would have to dynamically generate the page (php, asp)
using the cookie value as part of the page content.

For example, suppose a cookie was being used to accumulate an online
order. It might at some point contain the value "apples". When you
move to another other page, it requests the cookie, and the HTML will
render "Your cart contains: apples".

If before visiting a page with such a cookie, malware had changed it
to "<script>nasty exploit here</script> apples", then you can see the
problem if cookie content is used literally like this, and the server
doesn't check for such nonesense when generating a dynamic page.

 

[Jake Dodd]

I'm just going to respond to a portion of your post since I've
completely lost interest in speculating about the Cert article.

Alrighty then...

Frisk's definition of a virus includes intent in order to exclude
certain accidents which can occur with legit non-viral code.

I suppose Fridrik can prove from the program code that already.com
didn't intend to be a virus or worm and therefore isn't one.

http://www.avp.ch/avpve/file/a/ALREADY.stm

I think programs should be classified by what they do rather than
by what someone thinks the programmer intended it to do If it
acts like a virus or worm, then it is one.

They can decide if it was programmed maliciously if they want, and have
copying and cloning software as non-malicious viruses since they also
are able to replicate themselves recursively. Calling them 'not' viruses
based on a subjective attribute like 'program intent' isn't good IMO.

In practice you don't have a antivirus product alerting on some legit
program that might replicate.

I mentioned one "already"; )

See my article for Frisk's definition
and look at clause #2 and the reason for it:

http://home.epix.net/~artnpeg/VW.html

Read it, but didn't like it. As I said, programs either do or don't do
something, tyhey are viruses or they aren't viruses based on what
they do or don't do.

 

[Art]

Alrighty then...


I suppose Fridrik can prove from the program code that already.com
didn't intend to be a virus or worm and therefore isn't one.

http://www.avp.ch/avpve/file/a/ALREADY.stm

Well, I dunno off hand if F-Prot alerts on already.com, but I think
it should, just as does KAV. It's a good example, actually, of how
intent is always involved, one way and the other. In this case,
the researchers know the intent of the author of already.com
and point out that a bug causes it to act as a worm. Intent
works both ways, good and bad must be judged.

I think programs should be classified by what they do rather than
by what someone thinks the programmer intended it to do If it
acts like a virus or worm, then it is one.

However, that's a ivory tower pipedream, and not the way the
real world works. Take Trojans, for example. There are endless
little examples of batch files that erase the contents of a
drive, etc. They are perfectly legit if users are told what they
do. They are Trojans if they do something users wouldn't approve
of if they were told what they do. Av researchers are forced
to judge intent on every code sample received for analysis.

In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.

I'm convinced that the overwhelming success of mainstream
av lies precisely in their dealing primarily with both known
malware and known non-malware ... and endlessly taking
intent into account regardless of the malware type. Their
dats or sigs are like combination black and white lists, in effect,
though not literally, of course.

Art

http://home.epix.net/~artnpeg

 

[Jake Dodd]

Well, I dunno off hand if F-Prot alerts on already.com, but I think
it should, just as does KAV. It's a good example, actually, of how
intent is always involved, one way and the other. In this case,
the researchers know the intent of the author of already.com
and point out that a bug causes it to act as a worm. Intent
works both ways, good and bad must be judged.

If it creates a file in the CWD then maybe it's a worm. If it overwrites
a file in the CWD then it is a virus. What the author wanted it to do
doesn't really matter.

Since it only overwrites files named "already.com" it isn't a very good
virus, but it still is one. You can call a failed virus program an "intended
virus" because you believe the intention of the author was that it be a
virus and I suppose you could call this an intended non-virus for the
same reason. The authors intent, not the program's, because programs
do not have intent - they just do what they do.

However, that's a ivory tower pipedream, and not the way the
real world works. Take Trojans, for example. There are endless
little examples of batch files that erase the contents of a
drive, etc. They are perfectly legit if users are told what they
do. They are Trojans if they do something users wouldn't approve
of if they were told what they do.

Just because "trojans" are subjective doesn't mean that everything else
has to be too. There is no other way to define trojans because they
depend on subjectivity.

Av researchers are forced
to judge intent on every code sample received for analysis.

Right, that recent Mac virus for instance. They wrote that it attempts to
infect (sure, you can guess the authors intent from the code, and that a
bug in the code prevents it from properly attaching) by replacing the file
with a copy of itself and passing off to a saved copy of the files contents
elsewhere.

But still, the code does what it does regardless of the authors intent.

In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.

Fine, but they don't have to redefine virus to do that.

I'm convinced that the overwhelming success of mainstream
av lies precisely in their dealing primarily with both known
malware and known non-malware ... and endlessly taking
intent into account regardless of the malware type. Their
dats or sigs are like combination black and white lists, in effect,
though not literally, of course.

Why can't they say it is a non-malicious virus? Why can't they even
conceive of a virus that wasn't created with bad intent? When they
start screwing around with definitions that were already in place,
they confuse people. Already.com is an unintentional virus, but is
a virus.

 

[Art]

If it creates a file in the CWD then maybe it's a worm. If it overwrites
a file in the CWD then it is a virus.

Or maybe it's a hybrid virus-worm.

What the author wanted it to do
doesn't really matter.

Well, now you're suggesting a different issue than what I thought you
were. If you're saying that a sample of some code submitted to a av
lab and analyzed appears to be a intended <whatever> but actually
works as <something else> then indeed it will and should be
categorised as <something else> and not as <whatever>
Already.com was a unique case where intent wasn't _necessarily_
determined by code analysis. According to the writeup, intent was
determined by the author's description of what his product is supposed
to do (apparently). So it was a commercial (or free) program marketed
with good intentions (presumably) that happended to have a nasty bug.
Or at least, we should assume good intensions and not accuse him or
her of knowing about the "bug" and purposely spreading malicious code.
That's the way Kaspersky's little writeup came across to me. Innocent
unless proven guilty. Plus, since Kaspersky analysts called it a bug,
I think they did believe it was a bug.

Which brings me back to my point. I can just see Eugene Kaspersky
yelling at his analysts to always consider the whole situation ...
how program code is distributed and spread is just as important
as the technical analysis. They have a special category nowdays
for "questionable" commercial software they alert on. Stuff that
is sold but which may used for nefarious purposes such as commercial
keyloggers and port scanners. It's absolutely not merely a matter
of analysing code.

Since it only overwrites files named "already.com" it isn't a very good
virus, but it still is one. You can call a failed virus program an "intended
virus" because you believe the intention of the author was that it be a
virus and I suppose you could call this an intended non-virus for the
same reason. The authors intent, not the program's, because programs
do not have intent - they just do what they do.

The term "intended" is a old one in this context. It's been used for
years to characterize lame attempts at writing viruses where the
code failed to successfully self-replicate or meet certain minimum
criteria. And again, the (apparent) author's intention is always taken
into consideration by good av analysists.

Fine, but they don't have to redefine virus to do that.

'Fraid they do. I see a big difference between formal virus
definitions and practical definitions. If they worked with purely
formal defs, they'd be false alarming something fierce. And
as Kurt Wismer loves to point out, the halting problem applies
to any attempt to find all possible viruses. In short, any such
attempt is doomed to fail ... the av detection algorithm would
never exit (halt).

Why can't they say it is a non-malicious virus? Why can't they even
conceive of a virus that wasn't created with bad intent? When they
start screwing around with definitions that were already in place,
they confuse people. Already.com is an unintentional virus, but is
a virus.

The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:

http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/kelman1/

Art
http://home.epix.net/~artnpeg

 

[kurt wismer]

On Fri, 24 Feb 2006 18:05:54 -0500, "Jake Dodd" <[email protected]> [snip]
Frisk's definition of a virus includes intent in order to exclude
certain accidents which can occur with legit non-viral code.

I suppose Fridrik can prove from the program code that already.com
didn't intend to be a virus or worm and therefore isn't one.

nope, pretty sure he can't prove it from the program code... pretty
sure, in fact, that they're really just giving the guy the benefit of
the doubt if/when they say it wasn't intended to be a virus...

[snip]

I think programs should be classified by what they do rather than
by what someone thinks the programmer intended it to do If it
acts like a virus or worm, then it is one.

exactly... i agree 100%... we're saddled with a non-functional
definition for trojan horse programs (which, due to the pervasiveness of
trojans, happens to wind up applying across a broad spectrum of
malware), let's not accept the same for other forms of malware if we can
help it...

 

[kurt wismer]

Well, I dunno off hand if F-Prot alerts on already.com, but I think
it should, just as does KAV. It's a good example, actually, of how
intent is always involved, one way and the other.

if intent were involved then it seems to me neither kav nor f-prot
should alert on it, since it is widely regarded as being an
unintentional virus...

[snip]

In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.

and yet they alert on koh? a seemingly legit disk encryption program
that uses self-replication as an installation procedure...

I'm convinced that the overwhelming success of mainstream
av lies precisely in their dealing primarily with both known
malware and known non-malware ... and endlessly taking
intent into account regardless of the malware type. Their
dats or sigs are like combination black and white lists, in effect,
though not literally, of course.

that i agree with... their success is in not being bound by the strict
definitions of things...

 

[Art]

if intent were involved then it seems to me neither kav nor f-prot
should alert on it, since it is widely regarded as being an
unintentional virus...

I was referring to the description. Since Kaspersky said it was a bug
they were saying, in effect, that the author was assumed to have
"good intent". That's what I mean when I say intent is always involved
.... or rather judgements are made of the author's intention ... not
necessarily on whether or not to provide detection but rather on how
to classify it. In this case the classification was "commercial sw
with a dangerous bug".

[snip]

In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.

and yet they alert on koh? a seemingly legit disk encryption program
that uses self-replication as an installation procedure...

You'll have to elaborate. What's koh and which av alert by what names
(so I can find description(s))? Do they actually do a "This is a
virus!!!" kind of alert, or is the program put in one of those
commercial program categories where a mere warning message
is issued ... such as is often done with commercial keyloggers
and port scanners, etc. ? I know that KAV and McAfee in particular
"go lightly" on commercial sw detections (which have legit uses)...
and McAfee has a enable/disable switch for excluding such detections
entirely on their command line scanner.

that i agree with... their success is in not being bound by the strict
definitions of things...

Splendid!

Art

http://home.epix.net/~artnpeg

 

[kurt wismer]

'Fraid they do. I see a big difference between formal virus
definitions and practical definitions.

including intent is highly *impractical*... they may make exceptions in
exceptional cases but generally intent must be left out of the
equation... there are too many viruses created each day for them to ever
hope to divine the intent of them all...

If they worked with purely
formal defs, they'd be false alarming something fierce.

no, they wouldn't - that's the point of a functional definition... you
can't have a false alarm under that methodology - it is labeled a thing
because it performs the necessary functions that define that thing...

And
as Kurt Wismer loves to point out, the halting problem applies
to any attempt to find all possible viruses.

?? which is why they only attempt to find the viruses they have on hand
and (with heuristics) *some* derivative works...

In short, any such
attempt is doomed to fail ... the av detection algorithm would
never exit (halt).

i think you've gotten confused somewhere along the line...

the av program doesn't decide whether x is a virus, it detects what it's
developers tell it to detect and the developers decide whether x is a
virus based on x's function... the halting problem doesn't enter into
this particular method...

[snip]

The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:

there's a fairly big difference between bontchev's narrowly specified
"good virus" and simply a non-malicious (or unintentional) virus...

 

[kurt wismer]

Art wrote: [snip]

In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.

and yet they alert on koh? a seemingly legit disk encryption program
that uses self-replication as an installation procedure...

You'll have to elaborate. What's koh and which av alert by what names
(so I can find description(s))?

koh was a disk encryption program that resided in the mbr (not an
unreasonable place to put the code of a full disk encryptor) of hard
disks and the boot sector of floppy disks and was able to install itself
in new locations from the old location (basically it acted as it's own
installer)...

as you can imagine, it was classified a boot sector virus...

Do they actually do a "This is a
virus!!!" kind of alert, or is the program put in one of those
commercial program categories where a mere warning message
is issued ... such as is often done with commercial keyloggers
and port scanners, etc. ? I know that KAV and McAfee in particular
"go lightly" on commercial sw detections (which have legit uses)...
and McAfee has a enable/disable switch for excluding such detections
entirely on their command line scanner.

http://vil.nai.com/vil/content/v_98035.htm

i like how they say it "pretends" to be a security feature by encrypting
your information... it does encrypt it, and so long as you enter in the
same password you chose when you installed it it will also give you
access to the info decrypted in real-time...

i think they took a harder line with it because of some similarity with
an existing virus (it's not unheard of for some less clueful security
folks to try and use malware techniques in security apps) and some
programming bugs that made it 'dangerous'...

Splendid!

going to lengths to determine intent, however, is something that
generally does not occur... it *is* extra work, and time is often of the
essence with issuing malware protection...

 

[Art]

Art wrote: [snip]
In the real world you can't have detection-as-virus on every
code sequence that copies in a self-replicative way, since
situations arise where legit programs do that. The av researchers
are forced to take the legit intent of diskcopy.com (for example)
into account and make special provisions to _not_ alert on it.
and yet they alert on koh? a seemingly legit disk encryption program
that uses self-replication as an installation procedure...

You'll have to elaborate. What's koh and which av alert by what names
(so I can find description(s))?

koh was a disk encryption program that resided in the mbr (not an
unreasonable place to put the code of a full disk encryptor) of hard
disks and the boot sector of floppy disks and was able to install itself
in new locations from the old location (basically it acted as it's own
installer)...

as you can imagine, it was classified a boot sector virus...

Do they actually do a "This is a
virus!!!" kind of alert, or is the program put in one of those
commercial program categories where a mere warning message
is issued ... such as is often done with commercial keyloggers
and port scanners, etc. ? I know that KAV and McAfee in particular
"go lightly" on commercial sw detections (which have legit uses)...
and McAfee has a enable/disable switch for excluding such detections
entirely on their command line scanner.
http://vil.nai.com/vil/content/v_98035.htm

i like how they say it "pretends" to be a security feature by encrypting
your information... it does encrypt it, and so long as you enter in the
same password you chose when you installed it it will also give you
access to the info decrypted in real-time...

i think they took a harder line with it because of some similarity with
an existing virus (it's not unheard of for some less clueful security
folks to try and use malware techniques in security apps) and some
programming bugs that made it 'dangerous'...

When you say "they took a harder line with it" you're proving my
point. You're suggesting they did know it was a commercial program and
they did take intent into account. It's just that they decided to go
ahead and alert on it in this case.

going to lengths to determine intent, however, is something that
generally does not occur... it *is* extra work, and time is often of the
essence with issuing malware protection...

Nonsense. For one thing, probably the majority of samples are
collected by honeypots all over the world. I once read a Kaspersky
article on their methods. They also cruise the web, probably focussing
on porn, warez sites, and other "rich" sources. The suspicious samples
they collect by such means are extremely likely to be of malicious
intent and they need go no further in judging intent.

Insofar as fast reaction times go, they will of course have to "shoot
first and ask questions later", so to speak. If suspicious samples
they provide detection for turn out later to be commercial products
or other programs having legit uses (or other false alarms), they make
appropriate corrections later. You know there's a history of av
vendors even false alarming on other av vendor's products.

If malware could be strictly detected heuristically, it would be nice
but that's not the real world and you know it. Intent is built into
the concept "malware" and is always involved, regardless of the type
of malware. Antivirus products are designed to alert users to
"unwanted" or "undesirable" programs. As such, subjectivity
is inherent, and human judgements are always ultimately involved.

Art
http://home.epix.net/~artnpeg

 

[Art]

including intent is highly *impractical*... they may make exceptions in
exceptional cases but generally intent must be left out of the
equation... there are too many viruses created each day for them to ever
hope to divine the intent of them all...

??? There was nothing said there about intent.

no, they wouldn't - that's the point of a functional definition... you
can't have a false alarm under that methodology - it is labeled a thing
because it performs the necessary functions that define that thing...

Labeling and actually providing detection are two different things
entirely.

?? which is why they only attempt to find the viruses they have on hand
and (with heuristics) *some* derivative works...

Why the question marks? You're just making my point.

i think you've gotten confused somewhere along the line...

the av program doesn't decide whether x is a virus, it detects what it's
developers tell it to detect and the developers decide whether x is a
virus based on x's function... the halting problem doesn't enter into
this particular method...

That's what I was saying. I think you're one who's confused.

[snip]

The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:

there's a fairly big difference between bontchev's narrowly specified
"good virus" and simply a non-malicious (or unintentional) virus...

Whoops. You used the "u" word "uninintentional". You see? You keep
proving my point. Intent is always considered.

Art
http://home.epix.net/~artnpeg

 

[kurt wismer]

including intent is highly *impractical*... they may make exceptions in
exceptional cases but generally intent must be left out of the
equation... there are too many viruses created each day for them to ever
hope to divine the intent of them all...

??? There was nothing said there about intent.[/QUOTE]

sure there was, in the deepest quote... then on the outer quote
practicality was mentioned...

Labeling and actually providing detection are two different things
entirely.

non-sequitur - the detection algorithm uses the label... using the
formal definition cannot produce false alarms...

in fact, using any definition cannot product false alarms, by
definition... anything that meets the definition would be a true alarm
according to the definition being used...

the key part of a false alarm is that it is *false*, that it is a result
that contradicts the definition...

Why the question marks? You're just making my point.

actually i'm not... the question marks are there because the halting
problem has absolutely nothing to do with whether av vendors use the
formal virus definition or not...

they use the formal definition for classification and in rare,
exceptional cases they may make exceptions when deciding whether or not
to add detection...

That's what I was saying. I think you're one who's confused.

??? you implicitly reference the halting problem and and say that using
the formal definition would run into problems with the halting problem
(which it would not) and when i explain why the halting problem isn't
relevant i'm the one who's confused?

[snip]

Why can't they say it is a non-malicious virus? Why can't they even
conceive of a virus that wasn't created with bad intent? When they
start screwing around with definitions that were already in place,
they confuse people. Already.com is an unintentional virus, but is
a virus.
The consesus view of av industry professionals (and my own view
as well) is that there is no such thing as a "good" virus. Vesselin
Bonchev (now at FSI) wrote a classical paper on the subject which
is discussed here:

there's a fairly big difference between bontchev's narrowly specified
"good virus" and simply a non-malicious (or unintentional) virus...

Whoops. You used the "u" word "uninintentional". You see? You keep
proving my point. Intent is always considered.

intent is rarely considered... there aren't enough hours in the day to
allow them such a luxury...