Virii, all bad or some good

Saviour_Angel

Are all Virii bad, I don't think so. They help us discover the flaws we have in our security systems. It's a challange to keep your system totally secure and problem free, but we all know thats impossible. I love the challange to try and break security systems, as well as try to make mine as secure as possible.

Would like to hear feed back ! ! !

Trojan

(Will probably move to Security, depending on where this goes. A bit too script kiddie for my liking).

FYI the plural of virus is "viruses", not "virii".

--

It's rare to find a benign virus, and even then the fact of replication can be construed as a negative effect.

Talliesin

Originally posted by Saviour_Angel
They help us discover the flaws we have in our security systems.

No they don't.
The vast majority of malware operates on a mechanism of having the ignorant or stupid run them (ignorant the first time you do that, stupid the next).
A minority do actually crack the security of a system, but rarely do so in a way that highlights anything new, and if they do then the little ****e who wrote the malware could have just written a bug report instead.

The rest of us suffer from being Spammed by the bloody things, or being Spammed by "helpful" idiots who send us warnings about them.

Originally posted by Trojan
FYI the plural of virus is "viruses", not "virii".

And the plural of "box" is "boxes" not "boxen", but the latter's okay as a joke.

Trojan

Originally posted by Talliesin

And the plural of "box" is "boxes" not "boxen", but the latter's okay as a joke.

True. I just don't find "virii" amusing, it's one of my pet hates

Caliden

you can never stop mailbombs into your companies inbox.
as it just takes 5 minutes to make a hotmail account and you cant stop all hotmail accounts from sending you mails so the only way you can protect yourself fully is to go back to pen and paper

scojones

Viruses don't help anything. Because of idiotic tendencies of Bill Gates and his followers, there exists a huge market of anti-virus companies out there, making a fortune from the idiots (by idiots i mean average windows user). Viruses help nobody. I don't believe for a second that they make people more security consious. If you are using windows, then how hard is it to disable java / activex, to not open ANY attachments you get, and to only give your email address to people with a clue, who don't have idiots in their mailing list. There are basic rules that any Tom, Dick and Harry /should/ be able to follow, but evidently they cannot. People are idiots. End of story.

watty

Originally posted by Caliden
you can never stop mailbombs into your companies inbox.
as it just takes 5 minutes to make a hotmail account and you cant stop all hotmail accounts from sending you mails so the only way you can protect yourself fully is to go back to pen and paper

Of course the hotmail is blocked on our server. (incomming messages or outgoing users)

Also most web based mail services

Our users email clients can ONLY connect to the Company Mail Server.

It succesffully stopped every new virsus since it installed 5 yeears ago (some upgrades etc since).

Mostly these were NOT on Norton till later!

It stops the viruses I haven't thought of yet. (I mean I havn't thought of some ELSE writing).

It also stops 90% of the ordinary nonsense that should be illegal on Email.


Viruses are NO help at all to improving security. IF you find a flaw it can be communicated and fixed without a virus being written.

Security is mainly improved by DESIGN, not examination, and good configuration, not just sticking CD in and Clicking Next.

Firewalls properly done help too.

Only one MS vunribility in last 4 years was a risk here, and we use IIS, SQL, Win NT4, Win Xp and Internet Explorer. It was a DOS on our web server and patched. All the other issues have been non-issues due to good configuration of Wingate (again in default settings it can REDUCE your security).


Virus writers are as useful as a tyre slasher showing you should have locked the car in the Garage.

Mind you on Email propagation I largely blame IT Admins and users if we have to blame anyone.

The ONLY reason for "My Doom" spread is there are STILL millions of idiots that open attachments without knowing what they are doing

Is a ZIP file with contents

"Document.doc                                                                                              .exe"

suspicious or what? Or email server with simple text rules quarrenteened it, by Norton said it was fine.

HINT: If your Browser window is narrow scroll right, If it is wide, make it narrow!

I beleived my own common sense (and my mail server content rules!)

I can't beleive the number of PC with "hide file extensions" turned on either.

Solaris, Linux and UNIX are no more immune or secure I visit CIAC security site, often only one MS is listed among all the Cisco, Linux, Solaris etc problems!

MAC? Well you are a bit safe using something only 5% worldwide use as it is less likely to be targeted. But it has almost no security at all, worse than Win95. It's just the Virus writers don't bother!

Saviour_Angel

I was thinking would it be possible to create a virus that destroys any other harmfull code on a computer. I know that it's just a dream and very unlikly ! ! !

Talliesin

Originally posted by Saviour_Angel
I was thinking would it be possible to create a virus that destroys any other harmfull code on a computer. I know that it's just a dream and very unlikly ! ! !

RTM claimed the Morris worm wasn't meant to do any harm, look what happened there. (Okay, so it isn't 1988 any more, and malware tends not to be quite as devastating, but that's only because of measures that would also limit the effects of your suggestion).

It's been suggested a few times before, but really it's a very very bad idea. Having unknown software perform unknown operations that affect your security set-up in unknown ways is not a recipe for a more secure system.

Martyr

I'd say 99.9% of viruses are a waste of time, and show nothing new.
However I do think some have a positive impact, ironically.
Before i get all sarcastic..

I see viruses such as the first anti-debug, polymorphic & metamorphic viruses,
compressed and EPO(Entry Point Obscuring), encrypted pe files as innovative programming.
Truly only skilled programmers can achieve.

Why do i think this? because if you understand how the good stuff works, you can
see the benifits of such software to you if you are
a commercial software developer..and the research
done by these virus coders costs you how much? nothing
at all..

When i say virus coders, i don't mean those idiots that
create scripts, and worms exploiting buffer overflows,
although they have positive impact too..on the actual
company creating insecure software or software to
get rid of it..you see, i've thought of everything :P

The arguement has been used all the time by security
consultants, so i'm just agreeing with them..just
reiterating what they say..yes, they are very rich

Yesh, I think viruses are good for business.
depends what business you're in..hehe
Its a bit like when a country goes to war, ironically
there can be benifits from destruction.
just depends what country is being bombed..

Jobs to develop weapons..etc.

Perhaps the good virus coders should be redefined as something else.

And the idea of a virus which patches systems has been discussed
and would work, but not without legal issues and crying from
stupid privacy groups that do nothing to solve a problem
but moan anyway, cause they like to ;P

If you have a software program, and you require your customer
to enter registration data..such as username and serial number.

How are you going to stop joe cracker from reverse engineering
your software and creating his own key generator?

Well, thats where all that virus technology comes in.

Talliesin

Originally posted by Average Joe
I see viruses such as the first anti-debug, polymorphic & metamorphic viruses,
compressed and EPO(Entry Point Obscuring), encrypted pe files as innovative programming.
Truly only skilled programmers can achieve.

Why do i think this? because if you understand how the good stuff works, you can
see the benifits of such software to you if you are
a commercial software developer..and the research
done by these virus coders costs you how much? nothing
at all..

Nobody is stopping them from writing a paper, indeed they'd even get kudos and further their careers if they did that instead of unleasing malware.

The arguement has been used all the time by security
consultants, so i'm just agreeing with them..just
reiterating what they say..yes, they are very rich

And countered all the time by more security consultants.

Yesh, I think viruses are good for business.
depends what business you're in..hehe
Its a bit like when a country goes to war, ironically
there can be benifits from destruction.
just depends what country is being bombed..

Sure, if someone invades Ireland of course we should **** them up, that's not a matter of malware being good though, it's a matter of it getting in our enemies way, hopefully more than it gets in ours.
It would be great if Hitler had suffered a fatal brain tumour at the age of 18, but that doesn't make fatal brain tumours killing young men a Good Thing.

And the idea of a virus which patches systems has been discussed
and would work,

No they wouldn't. There can be enough issues with patches that are applied manually by a trained admin who knows the system in question, never mind one applied blindly by software which cannot be recalled.

but not without legal issues and crying from
stupid privacy groups that do nothing to solve a problem
but moan anyway, cause they like to ;P

That is frankly bull****. I don't fully support the extreme ends of the "privacy" cause, but I have to admit that their ranks contain a large number of people who have done a lot of work on just these issues, often without a view to reward.

If you have a software program, and you require your customer
to enter registration data..such as username and serial number.

How are you going to stop joe cracker from reverse engineering
your software and creating his own key generator?

Well, thats where all that virus technology comes in.

Okay, you've given us a problem and a solution, but no explanation as to how the solution stops, or at all relates to, the problem.

tricky D

back in the blurry days before the interweb took off ~91, we used to do test virus runs on various networks in one of Ireland's largest resellers. Can't remember the exact details but the payloads were benign, spread confined and mainly targetted (at the time) at combating mf wordy macro rhubarb which was a la mode at the time. Haven't heard of anyone using test viruses since tho google does have refs. I suppose test virus good cos it ain't a proper virus in the firstplace.

Capt'n Midnight

Originally posted by Saviour_Angel
I was thinking would it be possible to create a virus that destroys any other harmfull code on a computer. I know that it's just a dream and very unlikly ! ! !

This proves your argument is totally groundless - you seem to be ignorant of NACHI or how at times it was causing more denial of service than MSBLASTER. so either a Troll or a script kiddie wanna be.

Re challange etc. - it's just being anti-social - any muppet can break windows - up until about six months ago opposible thumbs seemed to be the only prerequsite. And just like kids throwing stones - what use is breaking windows - doesn't prove anything. Breaking in to a house when a window is open doesn't make you a master safe cracker - just makes you a thief and upsets the honest law abiding citizens.

re: test viruses - look up eicar

Martyr

Nobody is stopping them from writing a paper, indeed they'd even get kudos and further their careers if they did that instead of unleasing malware.

Many papers have been written on certain subjects..its all there if you want
to read it, however most people won't and after many years still don't
understand it.

I read a little bit of an article by the author of the first metamorphic
virus...it went way over my head because I had no understanding
of rebuilding PE files, how to create disassemblers or polymorphic code which is
essential to making metamorphism work.

And i know from reading other articles of the same author in the
past, that it took him years to understand what he does,
something I can't..i don't believe any human can do from reading
one paper on on the subject.
His metamorphic engine was over 10,000 lines of assembly.

If he (Mental Driller/29a) hadn't have released MetaPHOR.. just gave everyone
the article itself, then...probably some would have said it couldn't be done.
Also, even if people thought it possible, how the hell could they get their
heads around what he is talking about without years of studying what
he himself knows already..?

And why would they want to create metamorphic code in the first place?

No they wouldn't. There can be enough issues with patches that are applied manually by a trained admin who knows the system in question, never mind one applied blindly by software which cannot be recalled.

I don't know what the issues are as I am not a trained admin.
But my idea of patching wasn't replacing the executable, but a piece
of code inside the executable, fixing the PE file accordingly.
I know of a few virus writers/crackers who would know how easy it to be, replace an API such as lstrcpy with lstrcpyn inside a program.

I'm sure it could work in some scenarios, if the patch was written properly
of course.

That is frankly bull****. I don't fully support the extreme ends of the "privacy" cause, but I have to admit that their ranks contain a large number of people who have done a lot of work on just these issues, often without a view to reward.

Well, I don't know of what they have done.
They haven't done anything for me personally.

If its arguements about crypto they are winning, are they really
winning anything that we haven't already got?

Capt'n Midnight

Originally posted by Average Joe
I read a little bit of an article by the author of the first metamorphic virus..

To set a value to zero you can use different instructions.
SUB A,A
XOR A,A
MOV A,0
MUL A,0
MUL 0,A

or code to do stuff like
ADD A,-A / MOV 0,B MOV B,A / SWP 0,A etc. etc.

It was used to try to evade anti virus programs because since the exact code to carry out an instruction could change you couldn't just use string searches to test for viruses. - Shortly afterwards the fix was that the coding engine in the virus had to be kept relatively constant - and they simply scanned for it .

No useful purpose (it might be possible to use polymorphic code to reduce Zipped program size but that 's the job of the compiler)

Walking down mainstreet with an AK-47 and taking pot shots at people with rubber bullets will test if have flack jackets on. - BUT there will be casualties from freak bounces and besides it's hard to go about your life when you have to duck and cover 'cos of some nutjob. And I'll say it again the motorists can just drive away - you are only affecting pedestrians.

Capt'n Midnight

http://www.theregister.co.uk/content/56/35524.html
Nachi variant wipes MyDoom from PCs

Sounds good - ?

http://www.theregister.co.uk/content/56/35516.html
The worm will stop packeting SCO and cease spreading from infected machines following the first system reboot after 02:28:57 GMT today actually yesterday 12-2-04. It will continue to spread from machines whose system clock is set incorrectly so what we'll see is MyDoom-A tailing off to background noise levels rather than disappearing entirely.

So the supposedly "good" virus is a bit like a snow plough in July- a wee bit late to be anything other than a nuisence (also it uses the MsBlaster hole - any PC with that has probably either been patched or hijacked at this stage ?)

Saviour_Angel

hey the "good virus" was just an idea....
there's no harm in dreaming is there ?

Martyr

Yeah, I know how it all works in theory, and its purpose, what I couldn't understand, and probably because I dn't have much interest in the subject of polymorphism
is how to do it.
What I couldn't get my head around was creating the actual algorithms.

I know of the different ways in which you can set registers to particular
values, but what you have to remember is that metamorphism has
to deal with API addresses, API hash tables..actual ASCII strings..etc
Which can't be changed at all..otherwise it wouldn't work.

Polymorphism simply changed the structure of an encryption/decryption routine.
Metamorphism changes the code structure of not just the cipher algo, but
also the program which runs..very difficult.

Way over my head.