Security Incidents mailing list archives
Re: The sky is falling, or so I am told.
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Wed, 1 Aug 2001 08:58:10 +1200
Pluto <pluto () stderr de> wrote:
has someone tried to change the date on an infected system to see if he realy starts again?
Indeed, people have done this, but there are gotchas because of the various *different* sleep states that threads go into in different parts of the code. Unwary "testing" of this kind can easily lead to the wrong answer, as it alreay has for several high-profile security experts and I'm sure is at least part of the cause for why some experts say "the worm can wake up -- we have seen it in the lab" and why other experts are saying "in-depth code analysis *and* our tests show the worm does not re-awaken 'naturally'". -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- The sky is falling, or so I am told. Alfred Huger (Jul 30)
- Re: The sky is falling, or so I am told. Wichert Akkerman (Jul 30)
- Re: The sky is falling, or so I am told. Pluto (Jul 31)
- Re: The sky is falling, or so I am told. Nick FitzGerald (Jul 31)
- <Possible follow-ups>
- Re: The sky is falling, or so I am told. Wayne Conrad (Jul 30)