funsec mailing list archives
RE: Overloading AV software, try #2
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 22:10:24 +0100 (BST)
On Fri, 7 Jul 2006, Richard M. Smith wrote:
My question is about overloading the user with warning messages, not DoSing a box. Let me try asking my question a different way. If an AV software package suddenly sees 200 virus files being written to a hard drive, will it present to the user 200 individual warning messages about these virus files?
Yes. But why would this be a problem?
Richard -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Friday, July 07, 2006 4:18 PM To: Richard M. Smith Cc: 'FunSec LList' Subject: Re: [funsec] Overloading AV software, was Question about Viruses On Fri, 07 Jul 2006 13:34:08 EDT, "Richard M. Smith" said:But for the most part massimo is right, it's a dumb strategyHmm, what if the bad guys overloaded a user with virus warning messages asastratergy to get people to turn off their AV software. For example, couldaWeb page download a few hundred image files with known virus signatures tacked on the end of each file in order to make AV software go nuts?Couldthe same trick be used in an HTML email message?The system just goes 'Oink' or maybe casters-up. The basic idea of using a fork bomb or other resource consumer to DoS a box has been known since the mid 60s, not exactly news here.. ;) The system will either eventually scan all the content or bomb out - I don't know of *anybody* who has a product so brain dead that it will say "Wow, I've got 48 waiting to be scanned, let's just start giving them a free pass so I don't fall behind" (if anybody knows of one that bad, please name names so we can add some chlorine to the AV gene pool...) We had a nasty run-in with some malware that nested its zip payload down under multiple levels of MIME. Seems when it was more than 99 levels down, things got wonky and piggy. And even more wonky and piggy when you had several thousand of the beasts in the queue. (Yes, we whinged at the vendor, and they sent us a patch to make it a lot less a bacon source...) _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Overloading AV software, try #2, (continued)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- Re: Overloading AV software, try #2 Peter Kosinar (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- Re: Overloading AV software, try #2 Drsolly (Jul 08)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Peter Kosinar (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Question about Viruses Drsolly (Jul 07)