Thursday, March 31, 2005

scanner decrepitude

a question that just keeps coming back is whether or not it's ok to use an old scanner if you apply the latest signature updates to it... this seems especially popular for NAV, and especially for NAV2002 (symantec take note, you were obviously doing something really well that year, maybe you should go back to that)...

the answer, of course, is no it's not ok... older scanning engines can't make proper, effective use of newer signatures so if you try this you won't be getting the full benefit you could be getting from an anti-virus product...

let's examine why... as new viruses are written, new techniques to confound anti-virus products are employed and so the anti-virus scanning engines need to be updated... it's not enough to just create new signatures, signatures only tell the scanner what to look for not how to look for it...

some people think this is fiction, but some people also believe the earth is flat... it's a demonstrable fact that over time older scanning technologies become obsolete and need to be replaced - the scanning engines in use before polymorphic viruses hit the scene were completely incapable of dealing with polymorphics, so too with macro viruses... those are the extreme examples; there are less critical circumstances where making modifications to the scanning technology is simply more ideal, where the existing technology could have done at least part of the job but to get optimal detection performance a change in the engine is needed...

of course they keep the engine backwards compatible so that it can use all (or at least most) of the old signatures, but there's no such thing as forwards compatibility - older scanning engines can't make proper use of new signatures written to take advantage of the capabilities of newer engines...

as such, you have to keep your scanner engines up to date as well as the signature databases in order to get the full protection the product is supposed to be capable of...

Monday, March 28, 2005

funny business

having one blog is good... having 2 blogs is bad... so says whatever universal process/concept/thing it is that makes me post entries to the wrong blog...

Saturday, March 26, 2005

let's be part of the problem

DVForge - Virus Prize 2005
what the hell are these people thinking, offering to pay people to write viruses for the mac and spread them in the wild? like virus writers don't already have enough motivation to write and spread viruses - especially when it comes to being the first one for a new platform or the first one in the wild for a new platform... those sorts of things already make them (in)famous...

these folks have clearly had a break our ethical reality - you do not need a proof of concept virus to prove viruses can spread on the mac - mac OS X is basically a form of unix and the very first viruses that fred cohen wrote when doing his seminal work on viruses back in the '80s worked on unix systems... and they did work, they spread on production systems...

come on, folks - all general pupose computing platforms are susceptible to viruses... all of them... it's been proven - and i don't mean the way you prove things in court with evidence, because there will always be new platforms for which there is no evidence yet... i mean it's been proven on paper with logic - the only facilities a virus needs are those that are already present in the definition of general purpose computer...

these people are not solving any real problem by offering a reward to virus writers for writing yet more viruses (and you know damn well there are going to be a lot more viruses written than rewards handed out)... all they are doing is making virus spreading (because you do need to spread your virus so that it makes it's way onto the target systems naturally in order to get the reward) seem more legitimate by wrapping it up like it's some sort of good deed that puts a set of misconceptions by uninformed people to bed... the fact is that they are soliciting behaviour that is illegal under canadian laws (criminal mischief pertaining to data) as well as laws in a variety of other countries that have unauthorized-access-related legislation...

john mcafee reputedly paid for virus collections and thus became a pariah in the anti-virus industry for supplying virus writers with financial motivation to write viruses... these people here are supplying financial motivation to write & spread viruses and that absolutely contributes to the problem, rather than the solution... these people are not interested in the greater good, they're only interested in making a name for themselves and they don't care how much damage they cause in the process...

update 5:30pm: well, that was quick... seems a lot of people contacted the guy in charge and convinced him to stop the contest... hurray!... now let's move on...

Sunday, March 13, 2005

rootkits for windows

this page tries to explain what rootkits are and the emerging threat they pose for the windows platform...

that's all well and good but there's something that just doesn't sit well with me... let's take a closer look:
The term rootkit is very old and is dated back to the days when UNIX ruled the world. Rootkits for the UNIX operating system were typically used to elevate the privileges of a user to the root level (=administrator). This explains the name of this category of tools.

i like this explanation... it's simple, it's consistent, it makes sense.... a rootkit is a tool used to gain root (*nix speak for administrator) privileges...
Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.

now this is not so good... apparently rootkits for windows don't really have anything to do with giving a principle administrative privileges... it does a bunch of the other things it's unix counterpart does (i.e. it uses sophisticated techniques to hide) but no elevation of privilege...

does that make sense to you?

if i take the self-replication out of a virus, regardless of the fact that it can still do all the other things it used to be able to do, it is no longer a virus...

why then if i take the root granting functionality out of a rootkit does it remain a rootkit?

it doesn't seem to make a lot of sense, it is not logically consistent... by rights, what they're calling rootkits for windows should be called (in keeping with the spirit of the rootkit name) stealthkits...

now, this was an f-secure description so you may well be thinking that maybe those f-secure folks are a little confused... but no, if that were the case then why does sophos also seem to think that rootkits are more about hiding than they are about privilege elevation (which they don't even mention)... and then there's sysinternal's explanation of rootkits which also focuses on hiding rather than privilege elevation...

this seems like it might actually be industry wide, in which case i can just site here in awe and wonder because the industry appears to be from a completely different planet than you and me...

Wednesday, March 09, 2005

update from crazyworld

so guess what - Publishing exploit code ruled illegal in France...

guillermito will have to pay 5,000 euros if he publishes security vulnerabilities again... that's right, security research is basically illegal in france now so don't you be making fun of any of those french products that really, really suck...

but wait, there's more (there always is with this case)... if you read this article you'll see that tegam is defending it's actions by saying that guillermito's claims are false and his motives questionable... ooops! if his claims are false then the exploits he supposedly published must not actually exploit weaknesses in the product - in which case he didn't publish exploits, only defamatory material, in which case tegam's current claims against him are baseless... but since a court of law agreed with tegam's claims they must not be baseless, in which case the exploits are real, in which case his claims are true rather than false... you can't have your cake and eat it too, tegam...

i swear this company must be run by untrained monkeys...

legality of virus writing

someone at f-secure is clearly frustrated...

how many times have i seen someone say that virus writing should be illegal? i don't know, i've lost count it's been said so many times... i'm sure it probably seems entirely reasonable too... except wait, oh my goodness, it's not!...

huh? what am i talking about? i'm talking about the fact that enforcing such a law would be an unprecedented contravention of fundamental human rights...

let's face facts - abstracted from all other related activities, simply writing a virus is analogous to writing in a personal journal... it's a matter of freedom of thought and as such one of the most fundamental freedoms there is... it doesn't affect anyone until the writer tries to communicate his/her idea with others... if i write a virus and no one else ever sees it, have i contributed to the virus problem? if i utter a racial slur and no one's around to hear it, have i offended a minority group? no on both counts... what i do in the privacy of my own home or the privacy of my own computer should be of no concern to anyone else...

if you're going to outlaw something, outlaw something that actually causes a problem... outlaw spreading viruses, maybe even outlaw publishing viruses (see here for why full disclosure shouldn't be usable as a valid argument against such free speech limitations), but keep the thought police out of the picture...

that's important so i'll repeat it - outlawing virus writing would be a contravention of a person's freedom of thought, keep the thought police out of the picture...