Re: Re: Malware sharing? People are full of shit [was: Get your computer viruses here!]

[Nick FitzGerald <nick () virus-l demon co uk>]

Blue Boar wrote:

> Apologies to those for whom this is getting old, ...

Hey -- some of us have been pondering/debating/arguing/fighting about 
this stuff for around 15 (or more in Alan's case) years...

> ... but I think I'm 
> learning something new here...

I'm pleased to hear that, as among all the heat this topic tends to 
raise (and yes, I know I generate a lot of that myself) I'd hate it if 
the light went unseen...

> Addressed mostly to Nick and Solly.
>
> So, one part of the concern is that mr. amateur malware author will get 
> ahold of binaries and hexedit them into something new.

That's a _part_, but only a part.  For some, it is all but a show-
stopper, but they tend to be at the really extreme end of this (and you 
guys thought _I_ was at that end of this spectrum, eh??  8-) ).  For 
me, that's not a terribly big threat and probably falls close to 
"technically acceptable" (I'll skip the standard, expected lecture 
about moral acceptability here) given the rate at which it already 
happens _AND_ how we deal with it now (improved heuristic and/or 
generic detection capabilities in scanners, etc).

> But, I'm hearing that the real concern is that if binaries, source, 
> detailed analyses, etc... are posted, then the malware authors will 
> learn to write better malware?
>
> Is that the real problem?

For me that is a _major_ issue with this, for not only are samples made 
freely available, but "good quality" analysis is also available (or 
"hoped to be").  Samples are readily available to the both the good and 
bad guys many other places, and while the presence of such other 
sources in no way justifies deliberately adding another "open VX" site, 
in practical terms it makes very little difference.  Equally though, 
the "thoussands of good guys" Gadi and Val seem to think are starved of 
samples could just go to those other sources and slake their thirst for 
samples from them...

Another serious issue is that to be seen to be good as is important as 
to be seen to be doing good and it is hypocritical in the extreme to 
stand up saying "we genuinely want to make the Internet a better place" 
and then to make many of the tools and much of the information 
necessary for the bad guys to make it even worse freely and openly 
available to all and sundry.

As Dr Solly siad, there are _many_ issues with such a project and to do 
such a project well you have to address them.  To arbitrarily decide 
"it's all too hard" (or perhaps just "I'm too lazy to bother even 
trying") is not a responsible approach and will not be supported by 
responsible folk.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.