On Sat, 8 Nov 2008, Peter Evans wrote:
> On Fri, Nov 07, 2008 at 01:32:29PM -0500, John LaCour wrote:
>> After finding hundreds of phishing web sites compromised and PHP shells and
>> other backdoors installed, I got to wondering why AV products weren't being
>> used to detect these things. If I had a webhosting business, I'd certainly
>> be looking to find unwanted files installed on servers. What do you use to
>> do that? AV products.
>
> Starting with the bigotry, I hate PHP. Just so we understand where I am
> coming from.
>
> It's a horrifying mish mash and a security nightmare.
>
> Now, I am sure it is possible to write secure PHP stuff, but it's just
> so damn hard that ... why bother.
>
>
> AV products are designed for running typically on windows and/or
> typically
> aimed at detecting windows evilling. Attempting to extend them to the
> horrible mess that is PHP is just asking for trouble. Now instead of
> dealing
> with "evil URLs" and "evil x86 opcodes" you would have to deal with
> something
> that can give a shoggoth a run for its tentacles.
>
> I don't think this is the direction AV vendors should be going in.
>
Ah, on that, I am with John.
AV didn't think it should detect Trojans. Now all malware (nearly) is
trojans. They created the Anti Trojan industry due to this
short-sightedness.
AV didn't think it should detect spyware, and an entire industry spung.
AV didn't think rootkits are relevant... guess what happened?
Always running after, always catching up. Always creating their own
competition until they try to rebrand themselves as general security
companies.
I had a lot to do with breaking their noses on the Trojans business, and a
bit on the rest. So I completely disregard that excuse.
Worry not--I completely understand you are giving an example and sharing a
feeling we all have about PHP, but I am using it to give one of my own.
As to PHP, a lot of the web server botnets out there used to be IIS
botnets. I am still against AV as a solution, but you get my drift. I wish
I had the url to my old article on this handy. Maybe I will search for it
later.
Gadi.
>
> P
>
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
