funsec mailing list archives

RE: Overloading AV software, try #2

From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 22:10:24 +0100 (BST)

On Fri, 7 Jul 2006, Richard M. Smith wrote:

My question is about overloading the user with warning messages, not DoSing
a box.  Let me try asking my question a different way.  If an AV software
package suddenly sees 200 virus files being written to a hard drive, will it
present to the user 200 individual warning messages about these virus files?


Yes. But why would this be a problem?

Richard 

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Friday, July 07, 2006 4:18 PM
To: Richard M. Smith
Cc: 'FunSec LList'
Subject: Re: [funsec] Overloading AV software, was Question about Viruses

On Fri, 07 Jul 2006 13:34:08 EDT, "Richard M. Smith" said:

But for the most part massimo is right, it's a dumb strategy


Hmm, what if the bad guys overloaded a user with virus warning messages as

stratergy to get people to turn off their AV software.  For example, could

Web page download a few hundred image files with known virus signatures
tacked on the end of each file in order to make AV software go nuts?

Could

the same trick be used in an HTML email message?


The system just goes 'Oink' or maybe casters-up.  The basic idea of using
a fork bomb or other resource consumer to DoS a box has been known since
the mid 60s, not exactly news here.. ;)  The system will either eventually
scan all the content or bomb out - I don't know of *anybody* who has a
product
so brain dead that it will say "Wow, I've got 48 waiting to be scanned,
let's
just start giving them a free pass so I don't fall behind" (if anybody knows
of one that bad, please name names so we can add some chlorine to the AV
gene
pool...)

We had a nasty run-in with some malware that nested its zip payload down
under
multiple levels of MIME.  Seems when it was more than 99 levels down, things
got wonky and piggy.   And even more wonky and piggy when you had several
thousand of the beasts in the queue. (Yes, we whinged at the vendor, and
they
sent us a patch to make it a lot less a bacon source...)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Overloading AV software, try #2, (continued)
- - - Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
    - RE: Overloading AV software, try #2 Drsolly (Jul 07)
    - Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
    - Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
    - Re: Overloading AV software, try #2 Peter Kosinar (Jul 07)
    - Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
    - Re: Overloading AV software, try #2 Drsolly (Jul 08)
    - Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
    - Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
    - RE: Overloading AV software, try #2 Peter Kosinar (Jul 07)
    - RE: Overloading AV software, try #2 Drsolly (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
  - Re: Question about Viruses Dude VanWinkle (Jul 07)
    - Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Question about Viruses Drsolly (Jul 07)
    - Re: Question about Viruses <...> (Jul 07)
    - Re: Question about Viruses Axel Pettinger (Jul 08)
- Re: Question about Viruses Dr. Neal Krawetz (Jul 07)
  - Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Question about Viruses Drsolly (Jul 07)

(Thread continues...)