Thanks everyone for the interesting responses. I wasn't aware that libpcap
could be installed without a reboot, and for me that changes the relevance
of everything I said. That said, I still believe that the addition of this
as a core os function is a concern, and everyone else has the right to
believe that it isn't.
I don't think I underestimate the skills of the top virus writers out
there - I know they are very very good and very hard to stop. The people I
was referring to were the ones who aren't trying to do something interesting
like the encrypted plug-ins and auto-updating from usenet, but simply use
those kits to make nasty VBS variants. And yes, the information age means
that only one person needs to write a really good trojan before thousands
can be using it the next week.
I propose just one more argmuent to this debate. We know that someone can
write an extremly nasty trojan and get it out in use quickly, regardless of
what operating system is in use. And like Paul said we're starting to see
more .exe virii around as the skilled virii programmers get more Win32
savvy. But I believe less people can make these work than can give it a go
with a VBS approach. And surely the anti-virus vendors have a better chance
at keeping up with the game if only a fraction of those capable of writing
virii using kits are capable of writing trojans to use libpcap? I'm not
saying that they can't do it, but if it simple enough to come in a kit then
anyone who feels so inclined can do it. If it requires actually picking up
some books and learning Win32 programming, won't they just go back to
watching MTV?
Ari.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Paul D. Robertson
Sent: Thursday, 7 June 2001 11:14 PM
To: Ari Weisz-Koves
Cc: [EMAIL PROTECTED]
Subject: RE: This is a must read document. It will freak you out
On Thu, 7 Jun 2001, Ari Weisz-Koves wrote:
> The reason I see to be scared is that suddenly the mainstream operating
> system used by the least cautious people around, with the best
> application/os integration providing the easiest trojan methods will by
> default be able to be used for packet forging attacks.
It really isn't that big of a deal, there are already enough trojaned
Win9x clients out there that even using real addresses doesn't make it
easy to stop them.
> Correct me if I'm wrong with the details, but with Windows 95/98/NT/2000
> wouldn't the trojan would have to figure out the network interfaces,
install
> a packet driver, reboot the system then run itself again to begin the
> attack? Sure, someone out there is probably good enough to write this, but
MOre than "someone," it's not that difficult a task. The interface is in
a registry key. rebooting is simple, and there are *lots* of ways to
ensure that your code gets called again after reboot.
> the majority of vicious virus-writing pranksters wouldn't have the skills
to
If you mean "Generated by VBSWG" pranksters, yes, if you mean "Actual
virus authors" then I think you _seriously_ underestimate them. Because
of the haitus of executable viruses while the bad guys were learning about
Win32 programming, there's been a comfort level that's been pretty high-
macro detection is almost 100% these days, and VBS worms tend to be kit
generated and the only thing that gets through is newer versions of the
kit for the most part. That's currently changing, and we're starting to
see more .exe code. Those tend to have to be caught one by one, unlike
the kit-generated stuff.
> write one in a way that wouldn't suspiciously reboot the system or show up
> in some blaring obvious way to the end user. Isn't this just above the
skill
> level of the majority of virus writers? If the interface is already
> installed and easily usable through the standard APIs on the os, isn't the
> danger that it just makes it too accessible to those who might want to
cause
> such damage?
Look at the auto-updating, plug-in using, trusted signed code only trojans
currently floating around, then think about the skillset needed to add a
packet driver and stick around for a reboot.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
