Vulnerability Development mailing list archives
Re: Another new worm??? (long)
From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Thu, 22 Jun 2000 18:26:54 +0200
On Thu, 22 Jun 2000 10:09:42 +0200, rune () trans4media com wrote:
On Wed, 21 Jun 2000, you wrote:[Hyped viruses - Hare Krishna]AV companies still hype viruses and overexagerate their threats.
Oh yes....
point of view and giving vandals the tools to wreak havoc is not the best way to address the problem...And *because* of the seriously flawed way EEPROM's are used - the information *SHOULD* be published. That way - hardware companies will understand how stupid it is to do "that and that".
Sure, in principle you are more than right. I believe the manufacturers understand but that solving the issue is just not practical. To take an analogy, we know nails will punch holes in tires and the industry doesn't address the problem because making nail resistant tires would cost three times the cost of conventional ones and people have developed some kind of global road ethics - they don't spread nails on roads....
When people find out how flawed their hardware is, they have the option of swapping it *before* accident strike.
Yes - but they won't know, won't find out until it happens and when it does will be misinformed. If the payload hits some general or congressman MP3 player, some 17 year old kid will be fined 30 million dollars, sentenced to jail and sacrificed on the hacker's altar ;-)
Oh, and .. CIH .. was kind of .. widespread. Anyone with a disassembler could analyze the virus.
Well, it took me two hours to understand it and I recognized the flashing routine by sheer luck ( I had patched a flasher that wouldn't run on a fast computers a month or so before). Most a-v companies missed the flashing routine in their initial analysis, one of them activated the routine by accident and investigated - one argument for more open analysis btw - then I spend a couple of days downloading EEPROM PDF docs and looking at the Award flasher. OTOH, when I saw an e-mail worm it took me (and everyone) less than 5 minutes to understand how it worked. That's imho the key difference : anyone can spare an hour or two - not anyone can spend 4 days on a project. Besides, people who are able to analyze CIH usually have a job and don't have time to loose as vandals. One hour of cutting and pasting in vbs or vba is all it takes. As you have noticed, while there are hundreds of devices that can be flashed, there are only a few very minor CIH variants. VBS/VBA worms are appearing constantly... --- http://www.datarescue.com/idabase/ida.htm IDA Pro 4.1 - Yes, we have done it again !
Current thread:
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 22)