A
K
kurt wismer
Art said:
to detect wireless signals (maybe), but not to determine whether the
owner of the wireless access point is ok with the connections being made...
of course i'm pretty sure such 'listening posts' will run afoul of some
kind of privacy law... i discounted them for precisely that reason...
Z
Zvi Netiv
kurt wismer said:
Being a producer, my focus is on the practical aspects, of course.
[...]
I have no interest in general purpose integrity checkers, only in those offered
as AV tools, like Integrity Master, which you brought to the discussion.
[...]
Where do I claim that anyone should? In case you forgot, the approach that I
promote is generics and consists of the use of *multiple* and individually
*generic* methods, used *simultaneously*, and mutually *independent*. See
www.invircible.com/papers/IV4Enterprise.pdf
You are demanding far too much from the common user.
[...]
You assume sophistication where there is none. The limited success of Sophos in
their local market (UK) is due to concentrating on the corporate niche and not
wasting efforts on the consumers market.
[...]
An overwriting infector in researchers' terminology, and what you believe they
mean by that, are totally different things. To that category (overwriting
infectors) belong cavity infectors, like Lehigh (a DOS infector of command.com)
and CIH (PE infector). Cavity infectors conform to the definition of "virus" as
brought above, to the word. The part of the host file that is overwritten by
the virus is an unused section, nothing functional of the pre-infected file is
overwritten, and hence, nothing of the original code is lost.
A program that overwrites the host indiscriminately may be called an overwriter,
but not infector, maybe a Trojan. Hence, your "overwriting infector" is
fiction, no such thing exists.
As to genuine overwriting *infectors*, they respond to the same processing as
ordinary parasitic infectors do, i.e. they can be disinfected by cleaner
procedures, or generically restored from integrity signature.
Regards, Zvi
K
kurt wismer
Zvi said:
these days a threat can go from theoretical to 'practical' in a matter
of minutes...
and there have already been data diddlers in the past so i really don't
think it's too unlikely that there will be more in the future...
integrity master is an integrity checker with anti-viral applications...
it does (did) have a few small features specific to virus detection,
but they are not the primary features of the software...
you may not like the way integrity master was designed, but it's not
your product and the developer doesn't answer to you...
not "should", "would"... and you described exactly that condition above
with "if all that I could use was Stiller's Integrity Master"... that's
an entirely arbitrary and artificial circumstance...
but perhaps this is yet another point at which we diverge - as you seem
to think a producer should try to provide all the parts to the virus
prevention puzzle instead of just doing one thing really well... some of
us actually think mixing and matching to get the best performance out of
the various technologies available is a good strategy...
[snip]
i'm not demanding anything... you described what you could (or rather
couldn't) do, i described what i could do
it's sophistication for the masses to only care about what the
anti-virus media machine tells them to care about? or is it the
anti-virus media machine itself that represents the non-existent
sophistication?
and corporations are somehow magically easier to dupe into believing the
sophos propaganda? sorry, but corporations are run by the same sorts
of people that are in the consumer market, they make their decisions in
much the same ways except that they choose between corporate products
instead of home-user products (usually)... the waving of hands and
saying they stuck to the corporate market doesn't explain *why* people
choose them over the alternatives when the alternatives offer something
they don't...
[snip]
yours is the only definition i've seen that requires the original host's
functionality be left intact... why i, or anyone else, should choose to
use your definition over that of, say fred cohen, is beyond me (except
from a producer's point of view i suppose it makes the virus problem
statement easier to cope with when the definition of virus is changed to
exclude the problem areas)...
Z
Zvi Netiv
kurt wismer said:
You repeated that nonsense so many times that you seem believing it yourself.
Check IM's home page at www.stiller.com and see its anti virus nature all over
the place.
[...]
Now you are plagiarizing me. ;-)
[...]
Obviously, you haven't seen everything yet.
Besides, the definition Ibrought isn't mine and it doesn't contradict F. Cohen's.
Regards, Zvi
K
kurt wismer
Zvi said:
the website plays up the anti-virus application of the software because
that's what distinguishes it from all the tools whose sole purpose is to
check for corruption...
[...]
Obviously, you haven't seen everything yet.
brought isn't mine and it doesn't contradict F. Cohen's.
his informal definition does not require that the original functionality
of the host be maintained, and his formal definition states that all
self-replicating programs are viruses... neither of these agree with the
assertion you've put forward that viruses must maintain the original
functionality of the host program...
R
Roger Wilco
Maybe not a contradiction since he makes no mention one way or the
other. But it wasn't omitted 'out of hand' it was omitted because it
doesn't matter whether or not host function is maintained. The only part
the host must play is that attempts to execute the host execute the
virus. The definition you use puts further constraints on the virus and
you sort of contradict what is inplied by Cohen's definition where he
saw fit to omit any mention of host function being retained.
In an arena of recovering files after having been infected by a virus I
would like to use the same definition as you - any complaints about not
being able to recover some files could be countered by "that was done by
a trojan, not a virus - see my definition of virus" <URL>.
)
J
James Egan
As an aside, I happened across an article about this same
vulnerability in ms word and excel.
http://www.securiteam.com/securityreviews/5KP0G20EUE.html
All versions of a (password protected) saved document use the same
initialization vector so if you get hold of two different versions of
the same document or a document which has been "saved as .." then
subsequently edited and xor them against each other, you can read a
portion of the output with winhex (or whatever). I just did a test
with ms word 2k and could read more or less the complete text but
apparently it applies to all versions of word and excel which use rc4.
Jim.
Z
Zvi Netiv
Roger Wilco said:
Cohen's definition of virus: "A program that can 'infect' other programs by
modifying them to include a possibly evolved version of itself".
The definition I use expands on what is implied in the above. Nothing was
omitted, nor added.
Regards, Zvi
R
Roger Wilco
Zvi Netiv said:
The above implies nothing about the host's function still being intact.
The 'inclusion' of something in a set does not imply that something else
was not excluded - neither does it imply that it wasn't. You added that
original host function must be retained in the resulting infected
program thus further constraining the set of what you will call a virus.
Z
Zvi Netiv
Roger Wilco said:
The subject was discussed at length in the thread below, in which you took part.
http://groups-beta.google.com/group/alt.comp.anti-virus/msg/672df4cd6947d7cc
I see no new arguments worth discussing.
Regards, Zvi
K
kurt wismer
Zvi said:
in other words, your fingers are in your ears and you can't hear him...
R
Roger Wilco
Zvi Netiv said:
With your obvious grasp of technical material it just surprised me that
you use this as a definition for virus. Ay least this time I don't feel
so all alone in my reluctance to agree with it. In any future
discussions about viruses we'll just have to keep in mind that you use a
rather unique definition.
Z
Zvi Netiv
Roger Wilco said:
I first used that definition in my presentation (and paper) to the NCSA
Conference of '91, in front of almost everyone in the field, at that date. I
don't remember any objection to my interpreted definition from the audience, not
then, nor later on, in endless discussions on generics vs classic AV. On the
contrary. Quite a few adopted my interpretation and based similar features upon
(Thunderbyte, Symantec, BRM - Fifth Generation, Eliashim).
From you it almost sounds like being excommunicated. ;-)
Regards, Zvi
R
Roger Wilco
Zvi Netiv said:
And yet the paper I quoted the definition from was titled "EICAR 2000
Best Paper Proceedings" and the author saw fit to explicitly state that
host functionality was not an issue instead of simply omitting any
mention of it. Probably to avoid another misinterpretation such as you
exhibit. In our previous discussion you also seemed to have
misinterpreted something about first generation viruses - just because
they are deemed not worthy of inclusion in test beds for AV comparatives
does not mean they fail to meet the definition of virus. Sure, some
can't be treated the same in the AV arena because they are not
"infected" per se but they do meet the definition. You were correct
about them being "best treated" as trojans - but that doesn't make them
trojans and not viruses.
Not so bad really - it's not like we're ever likely to to need to
discuss thoses viruses that don't preserve host functionality since most
of them do. But if one fails to achieve this in some spreading attempts
it (the corrupted host with added viable viral code) should still be
considerd a virus if the attempted execution of the host results in
execution of the virus code.
Z
Zvi Netiv
Roger Wilco said:
Our previous discussion was about whether overwriters should be considered
viruses or not. Gen 1 samples were introduced to the discussion from Bontchev's
paper on how to maintain a virus collection. I have no particular position in
regard of these samples. You may consider them as valid viruses according to
the definition, including my stringent one. Gen1 are actually a "do nothing"
executable to which the virus code was added. The only difference between a
gen1 file and a real infection is that the latter was created by a spontaneous
infection process, and the previous was created artificially, through
compilation. Note that spontaneity isn't required anywhere in the definition of
virus.
You are confusing between droppers and genuine first generation virus samples.
Do you have a difficulty admitting that they all do? ;-) Taking it one step
further, can you formulate in words what that implies? Could it be that
preserving the host functionality is inherent to "virus" conduct? It's called
the scientific method, if you didn't know.
If it systematically corrupts rather than infect, then it's not a virus. If it
exhibits irregular behavior, e.g. some instances fail to infect while others
succeed, then it's a buggy virus, and if the botched infection resumes normal
viral behavior when being executed, then it's a singularity and it's unimportant
what you call it.
Regards, Zvi
R
Roger Wilco
Zvi Netiv said:
Specifically those overwriters that don't retain host functionaltiy. I
say that they should still be considered viruses because they still fit
the definition(s) - except for yours
)IIRC you compared overwriters to the first generation viruses because
you felt that the overwriters were essentially first generation viruses
on each iteration - and hence are more akin to trojans than viruses.
Detectors don't generally find this sort of thing when they are geared
specifically to recognize "infected" files of the type that your
definition indicates, so I can see why you would want to exclude them
via your definition.
I suppose so, considering what you say below.
Since there was no functionality to be preserved in what is now the host
"file" your definition works well enough.
samples.
Even droppers are viruses if they create a copy of the viral code they
'contain' in another executable area.
Maybe I 'do' need some clarification of the terms "seed file", "germ
file", and "dropper file". But it seems to me that any of them would be
viruses if they contained the viral code and their execution resulted in
that code being replicated into another program. AV may well be best
applied to subsequent iterations (spontaneous infection process), but
changing the definition of virus so that failing to cover them is not
akin to failing to detect a "virus" only serves to confuse.
A batch file (.bat) that overwrites other batch files with itself does
exist - so I would have difficulty ignoring that fact. Without added
"host funtionality retention" programming it would not be a very
sophisticated virus, but it is still a virus.
One could argue that other "virus conduct" such as avoiding multiple
infections of the same program should be included in a definition. Just
because it is a great advantage to have that conduct does not mean that
conduct should become a part of the definition.
It's called
the scientific method, if you didn't know.
It is bad science to ignore existing things just because they aren't
often seen.
virus.
If the corruption prevents the execution of the viral code, then it is
not a virus. If the corruption only negatively affects the original host
programs functionality and yet still correctly executes the viral code,
then it 'is' a virus.
Incidently, it is also not a virus (TM) if it corrupts the parent and
only produces one offspring. Kurt mentioned in an earlier thread that he
doesn't think this "non-overlapping" requirement was entirely
necessary - but in a CA program (Life) you could have "sliders' that
repositioned themselves (one unit diagonally?) and that would differ
from a somewhat richer CA that replicated itself to another area of the
2D tape without the new position overlapping the old position.
Some programmatically and intentionally (the writers intention) exhibit
such behavior to make emulation based detection more problematic.
Something being "buggy" implies it was not what the author intended.
Or do you have a unique definition for "buggy" as well.
)Interesting, could you explain this more? It seems that "botched
infection" implies that it isn't a viable offspring and yet you say
execution yields viral behavior which seems to indicate it 'was' viable.
Is it this 'host functionality retention' that is "botched" in your
above statement? If so, the "infection" wasn't botched - only the
attempt to retain host functionality was botched. So I would call it a
virus because I don't use your definition of virus.
K
kurt wismer
Zvi said:
people generally do have difficulty admitting that which they know to be
false...
Taking it one step
further, can you formulate in words what that implies? Could it be that
preserving the host functionality is inherent to "virus" conduct? It's called
the scientific method, if you didn't know.
the scientific method calls for needlessly injecting further constraints
into existing definitions?
it is only by your definition that corruption of the host and infection
are mutually exclusive... the real world is rarely so black and white...
Z
Zvi Netiv
Roger Wilco said:Specifically those overwriters that don't retain host functionaltiy. I
say that they should still be considered viruses because they still fit
the definition(s) - except for yours
Sorry, but I don't find it interesting to discuss that subject again.
Regards, Zvi