funsec mailing list archives
RE: Question about Viruses
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Fri, 7 Jul 2006 13:12:15 -0400
The closest I've heard to a real case of this is that some trojans have included the Eicar test string figuring that the user could be tricked into ignoring it because it's only Eicar. Because of this there are specific rules about Eicar detection, such as that it's only supposed to be detected in files of 128 bytes or less, but I know of at least one false positive on larger files. But for the most part massimo is right, it's a dumb strategy Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of <...> Sent: Friday, July 07, 2006 12:53 PM To: Dude VanWinkle; FunSec LList Subject: Re: [funsec] Question about Viruses did you REALLY read what you wrote before hitting return? if you get identified as "another" virus means you ARE identified :-( if you are identified you GO TO JAIL without collecting the money ;-) default action: remove/disinfect backup action: quarantine you're dead or in jail..... ----- Original Message ----- From: "Dude VanWinkle" <dudevanwinkle () gmail com> To: "FunSec LList" <funsec () linuxbox org> Sent: Friday, July 07, 2006 5:11 PM Subject: [funsec] Question about Viruses
Has anyone heard of a virus masquerading as another virus in order to avoid detection. Well you wouldnt be avoiding detection per se, just avoiding correct identification. How hard would it be to throw a signature for, let say troj_stargpag.qy in your app that was really a (insert favorite/least favorite virus here) -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- Re: Question about Viruses <...> (Jul 07)