-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, through heuristic scanning, they try this. But I doubt this is
possible. Even if they could come up with a way to detect 1 billion
different possible infections engines, all I have to do is scramble
one that they know of to come up with an unknown one. Even something
as simple as adding 1 to a register, swapping that register with
another, subtracting 1 from it in the new location, and swapping the
registers back. A few instructions there, and it almost certainly
slips under the scanning engine. Even if they could detect this with
a small number of instructions. There are so many ways to obfuscate
the code without changing its function. If on average only 1
instuction in 7 does anything, and that "actual" instruction isn't
always the 7th instruction (6 meaningless instructions, one real, 3
meaningless, 2 real, 15 meaningless), there's isn't really a way to
detect that without knowing in advance what it will look like. This
is why self-modifying virii are the hardest to pick up on. Take any
regular virus, add a few lines of code designed to insert meaningless
code for scrambling purpose, and you have a new, nearly undetectable
virus. Just make sure the scrambling routine also knows to scramble
itself (otherwise, the scanner just has to look for the scrambling
routine as its fingerprint).
Sounds like a nice idea, but I don't see it happening in the real
world.
Randy Graham
- -----Original Message-----
From: Dave Mikulka [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, December 13, 2000 3:02 PM
To: 'Stephen Gutknecht (firewalls)'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Undesired outbound data "leaking" - the next frontier?
Time to unlurk for a message or two....
Someone brought up a while ago that a real look to the future should
be
in prevention. To this day I still wonder why it is that the
antivirus
software vendors don't take more steps to PREVENTION. In addition to
constantly updating their lists of known virus patterns, why aren't
they
spending some time and money to research new possible patterns and
prevent them. Cause lets be honest, if theres hackers out there who
can
come up with new trojans, then theres people out there who can be
hired
to create them ahead of time and prevent them as well.
Obviously it isn't as simple as all that, but it would be nice to see
a
company that actually took a serious effort in the right direction.
As a network admin, I know it sure would be nice to hear about a new
virus and my system is already protected against it instead of having
to
clean it out of my network after the fact and install a patch to
ammend
the virus definition file.
Dave Mikulka
- -----Original Message-----
From: Stephen Gutknecht (firewalls) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 13, 2000 2:05 PM
To: '[EMAIL PROTECTED]';
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Undesired outbound data "leaking" - the next frontier?
Yes, but let's look toward the future. Is this problem getting
larger
or
smaller? Unless new programs like RealAudio/Napster/etc stop being
created,
I will say it could get larger.
Checksum of programs on the client --- that is exactly what
"Anti-virus"
software is basically doing, scanning all files on a system and doing
pattern matching. The anti-virus software vendors are also in the
business
of making "lists" and distributing those "lists" of patterns.
I personally don't see as much need for the real-time "system
slowing"
non-stop virus scanning that Martin [[EMAIL PROTECTED]] talks about
for
this
type of issue. A scan every 24 hours would seem sufficient to
identify
potentially "undesired" programs (above and beyond normal virus
scanning).
I can think of two technologies available today:
--- The netnanny web filter software. These companies are in the
business
of tracking the web pages out there and classifying them based on
porno
and
other factors. What about "safe to post data"? Yes, these lists of
sites
are far far far from perfect... but the technology and model exists.
--- The anti-virus checking of executables.
A new type of program and server?
===================================
Maybe there needs to be a new network protocol? Maybe a digital
signature
applied to the opening packet of a network session? Maybe some new
type
of
program that runs on client PC's and requests permission from a
"outbound
security server" before a firewall would allow a new session?
That doesn't sound like a bad idea. Something like ZoneAlarms that
runs
on
the client operating system and intercepts all outbound traffic...
but
INSTEAD of asking the user of the PC ("do you want to allow
iexplore.exe
to
go outbound") -- it does a request to a "corporate authorization
server."
And base the program detection on a digital signature/checksum -- not
just
the name of the exe! So far, at least one program (Zone Alarms) has
proven
sufficient at detecting new outbound traffic session on a PC.
And besides, the firewall policy could be to block ALL OUTBOUND
unless
authorized. So if the person isn't running the "authorized outbound
requester program," or has a trojan that bypasses it -- outbound data
would
never get out...
The same could be said for user identification. Perhaps "logging
into
the
firewall" should be required for outbound Internet use in general.
We
know
is in our email and custom applications, but we really have no idea
who
a
web surfer is (other than their machine IP)?
Oh yha, one other thing... any program that blocks user access when
the
program isn't authorized... it should allow the user to be sent to a
custom
web page and not just pop up a "you can't connect" error. This way
the
MIS-types can at least provide the user (via private web server) with
site-specific informaton on how to deal with the issue.
Stephen Gutknecht
Renton, Washington
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBOjfsmRmX7SWIy+ClEQKdDgCgusyyf+lWacqF5mcP5Tcz9ZA+fI0An2Xu
fYzLLqI2xK2XyUzek1FnRfV6
=f5n8
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
