Trojan horse Downloader.Generic.ML

[Arthur Hagen]

The definition of virus ( www.invircible.com/glossary.php ) is: "A
virus is parasitic computer code that replicates by producing
functional copies of itself into host files. The infected hosts
inherit the replication ability of the affecting virus, in addition
to maintaining the original functionality of the host program or
file."

The last part requires that everything that was contained in the
program in its preinfected state, be still there, plus the necessary
changes made by the virus to incorporate its own code in the program
flow. A direct deduction is that all virus infections are
theoretically reversible, by reverting the changes made to the
program, and since nothing from the original code was lost. This is,
in a nutshell, the entire theory on which virus disinfection and
recovery is based upon.

You forget that a virus can *replicate* the functionality of a program
without keeping it, in which case there's nothing to revert back to.
This is most certainly true for most boot virus, and also some file
virus do this.

As to disinfection vs integrity restoration, everything disinfection
can do, restoration will do better, and much of what restoration will
do, can't be done by disinfection at all (like disinfection from
highly polymorphic viruses, or from new ones).

Or disinfection where the original is not retained at all.

I didn't expect you will, yet ...

The problem is with the word "nearly". Just for fun, place the eicar
test string in an NTFS or XFS stream for a file, and see how many
"properly implemented" real time integrity monitors will catch it. Or
do a prelink/requickstart of executables and libraries and see how many
of the monitoring programs that will go nuts because the files have
changed.

(So far I know of only *one* AV product that breaks down a file into
different hunk types and only scans the relevant bits. And it doesn't
do monitoring. And only *one* product that checks streams, and it's not
an AV product, but an anti-spyware product.)

Regards,

 

[Roger Wilco]

Not really, and there are good reasons why not. The most famous data diddler,
is the now extinct Ripper boot virus. Even at the peak of the boot infectors
short era, Ripper was more of a conversation piece than a real threat (Simon
Widlake would mention it often). The reason for its rarity is that
destructiveness counters prevalence: The more destructive malware is, the
lesser are its chances to survive and spread.

But now we are starting to see so-called Warhol worms with destruction
triggered at peak population. Were talking malware here not just
viruses.
[snip]

I just knew that "overwriters are not viruses" would be revisited, but
at least it isn't me this time.

You seem having forgotten the very basics of virus and antivirus technology.
Here is a brief reminder (state of the art ca '95) :

The definition of virus ( www.invircible.com/glossary.php ) is: "A virus is
parasitic computer code that replicates by producing functional copies of itself
into host files. The infected hosts inherit the replication ability of the
affecting virus, in addition to maintaining the original functionality of the
host program or file."

For those that might be interested, here's this from:

www.madchat.org/vxdevl/papers/avers/afl01.pdf

(a very good read technically - I found the English a little "bumpy"
though)

***************

Definition 4.1.: A computer virus is defined as a part of a program
which is attached to a
program area and is able to link itself to other program areas. The code
of computer virus
has to be executed when that program area is to be executed which the
virus has been
attached to.

Viruses have not to execute the original part of the program area, but
the viruses often do
it because they want to be unobserved. In this case the original part of
the program area
has to be repaired by the virus. In the opposite case the virus may
overwrite the program
area thus the virus destroys it.

****************

The definitions of "virus", "worm" and "trojan" are often tailored to
the specific needs of the area of technology the expounding person
inhabits. IMO this "Mathematical Model of Computer Viruses" should be
the thread their "virus definition" fabric is woven from. If the need
arises (and it apparently has) to create a dichotomy between viruses
with "reversible virus infection methods" to those with "irreversible
virus infection methods" and futher with those with "neuterable virus
infection methods", then they should define new words to describe them
and not redefine existing words.

 

[Art]

If you are talking about ISPs giving out broadband access via wireless
you are correct. The topic however was about people cracking wireless
access points, routers etc so I assumed you were talking about. (ie.
people on ADSL/DSL/T?/E? wired connections sharing out using an AP)
If so then yes I am saying its impossible to stop customers using wireless.

Why?

Art

http://home.epix.net/~artnpeg

 

[Chris Salter]

Why?

Obviously they could come around your house and check. Or they could
setup remote cameras/antennas to check. Not exactly cost-effective.

Go and find all the relevant RFCs (NAT, ethernet, wireless bridging) etc
and show me how they could detect it? To all intense purposes all the
ISP sees is the traffic from ISP <-> Router. (This isn't strictly true
of course. BUT routers could obfuscate the client data if need be or
you could use local proxies).

 

[Roger Wilco]

Not terribly long ago, F-Prot for DOS started using internal structure
by default. I haven't checked, but I've been sort of ASSuming that
internal structure basis is being used quite commonly now with av
scanners. Something to look into.

I knew Sophos did from a whitepaper by them I had read. Others' I wasn't
so sure about. They could still use extension based exclude lists for
the control program (don't even look at files named *.txt,
pagefile.sys...) but it makes me wonder whether files with extensionless
filenames can hide from other security schemes this way. I have only
seen 'include' lists with reference to filetype blocking (when someone
asks what filetypes by extension he or she should be concerned with
allowing in by for instance e-mail).

 

[Roger Wilco]

[...]
That file may be a malware related file, but it itself is not malware
(it is not executable and as such is not a threat) and any scanner that
detects it as such is wrong (but some would do so purposefully to get
better scores in AV comparative tests - like detecting boot sector
viruses in "files" like .bak backup files..

Based on the NULL sample inspection:

The file has a PE structure (Mark Zbikowsky's marker, 16 bit EXE stub, PE
extended header and sections) but it isn't directly executable. Which doesn't
mean much as many non-executable objects used in Windows have that structure,
like font files, to mention one example.

It could be malware related, but it could be anything else just the same.

The only way it could be
executable is if it is an OLE2 filetype (.doc) that has been renamed
extensionless. It is a good idea for scanners to completely ignore
extensions and determine filetypes by their internal structure - but
this adds too much scanning time I suppose.

Most scanners have the option to scan "all files", regardless of their extension
name. Generally, it's a bad idea to scan all files as it increases both false
alarms and scan time.

As for on-access AV, I wouldn't recommend it checking all files, under no
circumstances.

That's what I thought, thanks.

The on-access (and to some extent the on-demand) should not be telling
you "this may contain this or that" but rather that "you might not want
to execute this because this or that may execute as well" - if it is
non-executable then there would be no point in warning about the
possible consequences of executing it. If people want to know if a
threat will exist if they extract and execute the contents of a
container or text file , that would be fine for an on-demand option but
might be a problem for on-access. The advent of malformed archive file
exploits could have used this on-accesslike e-mail scanning
functionality to auto-spread. Why do such an unneeded thing when it
increases complexity and hence risk.

 

[Art]

Obviously they could come around your house and check. Or they could
setup remote cameras/antennas to check. Not exactly cost-effective.

Go and find all the relevant RFCs (NAT, ethernet, wireless bridging) etc
and show me how they could detect it? To all intense purposes all the
ISP sees is the traffic from ISP <-> Router. (This isn't strictly true
of course. BUT routers could obfuscate the client data if need be or
you could use local proxies).

In some cases, though, I think certain illegal activities could be
traced without much difficulty. My ISP happens to be owned by the
telephone company. Take a different kind of case where idiots give
away their user name and password to friends. On dialup, there is the
correlation to telephone # to work with. And telcos may cooperate
with ISPs on this sort of thing in the more general situation.

In my case with DSL service being supplied by, in effect, the telco,
I'm not so sure my line and others couldn't be tracked by the telco if
I was crazy enough to give away my user name and passwiord ... or if
it was a wireless crack that did the evil deed.

I dunno, but it's along these lines that I have in mind ...
cooperation betrween telcos and ISPs to track down this sort of crap.

In talking to some young people and listening to their conversations,
I get the impression that many don't care one whit about any of this,
and all kinds of illegal stuff is going on ... and there is
practically no use use made of even the available security measures.
If things get bad enough, you can damn betchum there will be
crackdowns, in spite of the apparent technical difficulties in finding
and booting off these characters

Art

http://home.epix.net/~artnpeg

 

[Zvi Netiv]

You forget that a virus can *replicate* the functionality of a program
without keeping it, in which case there's nothing to revert back to.
This is most certainly true for most boot virus, and also some file
virus do this.

The discussion is about plain integrity checkers versus AV adapted integrity
checkers/restorers. See <[email protected]>

Regards, Zvi

 

[kurt wismer]

On Tue, 21 Jun 2005 22:56:24 -0400, kurt wismer <[email protected]>


I'm wondering if ISPs are starting to crack down on the use of
wireless.

i'm wondering how you think they could even detect that... the network
traffic that they see will all have the IP address of the router, not
the machines connecting to it - and even if they could tell there were
multiple machines connecting to a router there's no way to tell what
medium was used for the connection...

 

[kurt wismer]

Art wrote:
[snip]

In some cases, though, I think certain illegal activities could be
traced without much difficulty. My ISP happens to be owned by the
telephone company. Take a different kind of case where idiots give
away their user name and password to friends. On dialup, there is the
correlation to telephone # to work with. And telcos may cooperate
with ISPs on this sort of thing in the more general situation.

in the case of wireless freeloading it would be as if they were all
using the same phone - no help there...

 

[kurt wismer]

Not really, and there are good reasons why not. The most famous data diddler,
is the now extinct Ripper boot virus.

i'm talking about existence - you're talking about prevalence... that is
not a useful tangent...

[snip]

Only a fool will claim that there exist no malware that corrupts data, but a
producer must really have no sense to optimize an AV product for such rare
singularity.

and on this point we diverge again - plain integrity checkers belong to
a much broader class of diagnostic tool than anti-virus programs so i
have no expectation that they should only take into account those events
that anti-virus products are concerned with...

[...]

actually, i don't think they are the same thing... i don't believe users
are incapable of such, i believe they are unwilling...

I am both willing and experienced, but unable to tell viral from benign if all
that I could use was Stiller's Integrity Master.

and why would anyone be using *just* an integrity checker?

a clever application of clean booting, backups, and integrity checking
would allow one to trace the generation of viral offspring in most cases
(the exception being those cases where you cannot coax the 'infected'
file to produce offspring)...

[...]

sophos used propaganda to justify being a less attractive option? that
really doesn't make a whole lot of business sense... you (the general
you) can't claim that action X can't be done satisfactorily so you won't
do it and expect potential customers to accept that when most other
vendors provide products that do perform action X...

Sophos decision to not disinfect was a business decision, and the "ideology"
attached to was propaganda. Fact that it worked!

whatever - i suspect sophos' success has more to do with the fact that
the market treats disinfection like an afterthought - people are far
more concerned with prevention and on that criteria sophos compares
favourably with the competition...

You seem having forgotten the very basics of virus and antivirus technology.
Here is a brief reminder (state of the art ca '95) :

The definition of virus ( www.invircible.com/glossary.php ) is: "A virus is
parasitic computer code that replicates by producing functional copies of itself
into host files. The infected hosts inherit the replication ability of the
affecting virus, in addition to maintaining the original functionality of the
host program or file."

The last part requires that everything that was contained in the program in its
preinfected state, be still there, plus the necessary changes made by the virus
to incorporate its own code in the program flow. A direct deduction is that all
virus infections are theoretically reversible, by reverting the changes made to
the program, and since nothing from the original code was lost. This is, in a
nutshell, the entire theory on which virus disinfection and recovery is based
upon.

then it is a) flawed (as overwriting infectors *are* viruses according
to just about every definition i've seen other than yours), and b) a
non-sequitur (as integrity checkers are for more than just detecting
viruses - there's this little thing people sometimes call a payload)...

 

[kurt wismer]

But now we are starting to see so-called Warhol worms with destruction
triggered at peak population. Were talking malware here not just
viruses.

on top of warhol worms there are also the plain ordinary trojans which
are now able to be spread far and wide enough by manual labour as to
become a significant enough problem for anti-virus products to change
their focus...

[snip]
I just knew that "overwriters are not viruses" would be revisited, but
at least it isn't me this time.

overwriters are viruses by cohen's formal *and* informal definitions...
if zvi wants to use his own definitions, he's free to do so but the
discussion won't go very far...

[snip]

For those that might be interested, here's this from:

www.madchat.org/vxdevl/papers/avers/afl01.pdf

ugg - pdfs...

how about http://all.net/books/integ/japan.html

-------------
In 1984, the first experiments with `Computer Viruses' as we know them
today were performed. [1] To quote this paper:

``We define a computer `virus' as a program that can `infect'
other programs by modifying them to include a possibly evolved copy of
itself.''

These `Viruses' had many implications for integrity maintenance in
computer systems, and were shown to be quite dangerous, but their
potential for good was also introduced. A practical virus which reduced
disk usage in exchange for increased startup time was described, and
this technique that is now commonplace in personal computer systems. A
formal definition for viruses, which for mathematical reasons
encompasses all self-replicating programs and programs that evolve and
move through a system or network, was first published in 1985. [4] This
encompassed many of the worm programs under the formal umbrella of
computer viruses. This work also pointed out the close link between
computer viruses and other living systems, and even melded them into a
unified mathematical theory of `life' and its relationship to its
environment. These experiments were terminated rather forcefully because
they were so successful at demonstrating the inadequacy of contemporary
computer security techniques, that administrators came to fear the
implications.

 

[Art]

i'm wondering how you think they could even detect that... the network
traffic that they see will all have the IP address of the router, not
the machines connecting to it - and even if they could tell there were
multiple machines connecting to a router there's no way to tell what
medium was used for the connection...

You're thinking "inside the box" again. Try using a little imagination
and creativity.

For xDSL, high gain rotary antennas at every telco office sweeping a
radius of up to four miles ... backed up with digitial cracking sw ...
should do the trick very nicely.

In my geographical region where the only ISP offering xDSL is owned by
the telco, such monitoring boxes don't seem very far fetched or even
very futuristic. They could be produced in volme at relatively low
cost. More futuristically and generally, I envision close cooperation
between telcos (who have an interest in this as well) and ISPs.

Cable providers will want to jump on this bandwagon as well ... and
they will help defray the costs of monitoring in return for the info
provided.

Art

http://home.epix.net/~artnpeg

 

[Chris Salter]

You're thinking "inside the box" again. Try using a little imagination
and creativity.

For xDSL, high gain rotary antennas at every telco office sweeping a
radius of up to four miles ... backed up with digitial cracking sw ...
should do the trick very nicely.

In my geographical region where the only ISP offering xDSL is owned by
the telco, such monitoring boxes don't seem very far fetched or even
very futuristic. They could be produced in volme at relatively low
cost. More futuristically and generally, I envision close cooperation
between telcos (who have an interest in this as well) and ISPs.

Cable providers will want to jump on this bandwagon as well ... and
they will help defray the costs of monitoring in return for the info
provided.

Sigh....

How would the Telcos prove that the wireless signal they have found is being used by

a) their customer
b) carries internet access on it and
c) being used illegally

I have wireless in my house, its has nothing to do with my ISP what I do with my wireless signals, or what my wireless signals carry.
Suggesting that ISPs/Telcos have the right to sniff and crack communications is utterly mad.

 

[Art]

Art wrote:
[snip]

In some cases, though, I think certain illegal activities could be
traced without much difficulty. My ISP happens to be owned by the
telephone company. Take a different kind of case where idiots give
away their user name and password to friends. On dialup, there is the
correlation to telephone # to work with. And telcos may cooperate
with ISPs on this sort of thing in the more general situation.

in the case of wireless freeloading it would be as if they were all
using the same phone - no help there...

Not necessarily. I can envision individual line locater technology
used by telcos to track down xDSL abusers.

Art

http://home.epix.net/~artnpeg

 

[Art]

Sigh....

Sigh back

How would the Telcos prove that the wireless signal they have found is being used by

a) their customer

By pinpointing (to some extent) their geographical location and doing
a bit of detective work.

b) carries internet access on it and

By the nature of the rf signals, obviously, and packet content once
cracked.

c) being used illegally

See above.

I have wireless in my house, its has nothing to do with my ISP what I do with my wireless signals, or what my wireless signals carry.

Not if you're freeloading ISP service. You're safe for now only if you
use strong WAP.

Suggesting that ISPs/Telcos have the right to sniff and crack communications is utterly mad.

Methinks thou protesteth to much. You must have something to hide.

Art

http://home.epix.net/~artnpeg

 

[Chris Salter]

By pinpointing (to some extent) their geographical location and doing
a bit of detective work.
Hahaha.

By the nature of the rf signals, obviously, and packet content once
cracked.
Nonsense.

Not if you're freeloading ISP service. You're safe for now only if you
use strong WAP.

I'm not freeloading anything, my wireless network carries MY network data.

Methinks thou protesteth to much. You must have something to hide.

I have *lots* to hide. Obviously you don't. Please post all your personal details,
social security, CC numbers, friend details, telephone numbers, passwords, email address onto usenet.

 

[Art]

Hahaha.

You do have a funny ISP indeed that doesn't require thar a user name
and password be sent for email and newsgroup access. With a cracked
WEP (or none at all) that's one item of several that can be sniffed.

I'm not freeloading anything, my wireless network carries MY network data.

So you do pay for ISP service then. Splendid Many don't. And I'm
sure many freeloaders can be found ... and the idiots who give their
ISP access away to others.

Art

http://home.epix.net/~artnpeg

 

[Chris Salter]

You do have a funny ISP indeed that doesn't require thar a user name
and password be sent for email and newsgroup access.

My wireless network is NOT connected to the internet FULL STOP. No passwords or usernames
are sent through the air.

With a cracked
WEP (or none at all) that's one item of several that can be sniffed.

So what? Cracking and sniffing are (in the UK at least) illegal. You think telco are above the
law? You think they have a right to go and crack into my network? You think they have the right
to the details of my myself and my family? You think they should be allowed to listen to my phone
calls, open my mail, come around and plug into my network?

So you do pay for ISP service then. Splendid Many don't. And I'm
sure many freeloaders can be found ... and the idiots who give their
ISP access away to others.

I'm on cable and yes I do pay. Obviously you believe that a minority breaking the law gives
companys a legal right to break it as well? Or you believe we should all live in a nanny state?

 

[James Egan]

So you do pay for ISP service then. Splendid Many don't. And I'm
sure many freeloaders can be found ... and the idiots who give their
ISP access away to others.

It all gets added onto the account holder's download limit and they
will be charged accordingly.

Over here, most ISP's are moving away from unlimited access accounts.
Mine used to be unlimited but now has a cap of 30GB per month though
they did offer the sweetener of a 2Mb download speed instead of 1Mb at
no extra cost.

There's no way ISP's are going to hack into wireless networks on the
off chance of catching a freeloader. They're in the business for the
money and any misuse can easily be contained by the application of
download limits or surcharging for going over allowed limits.


Jim.