Re: Another new worm??? (technical)

[11a () GMX NET (Bluefish)]

> There is no such thing as hard to modify things in macro-viruses /
> script viruses. There is a paper by David Chess on the IBM site about
> that. He calls them "soft" viruses because in fact for different
> reasons they are very resistant to small changes

I'm no expert on the VBS-files, so I can't argue on that. But macros in
e.g. Word which can auto-execute is easily detected?

> Change random bytes in a worm like Love Letter, it will keep to work in
> 90% of the cases.

Which only demonstrates that you should look at important stuff. ;-)

If I would (which I won't ;-) develop a AV designed to deal with emails, I
would offer a number of options where the user (administrator) could
decide how to deal with scripts containing file access etc and let them
classify what kind of defence they feel they need. To simplify the process
I would offer a number of default settings ("paranoid" being default,
"block all scripts" would be what I enabled where I work)

> Change random bytes in a virus written in assembly language, it crashes
> in 99.9% of the cases.

That's fairly obvious to anyone with a limited understanding of how the
common commercial machnine languages works, eh... ;)

> * Simple mail filters are not a long term solution but are a good
> emergency measure.
> * Implementing an open source anti-virus based on simple e-mail filters
> only is doomed.
> * A system that is inherently weak should be fixed at the root.
>
> These were my points, I am sorry if I did not express myself clearly
> enough.

Seems we agree to most things :)

> > After all, they do know
> > that very, very few users actually use macros, scripting email etc.
>
> 1) Corporates use them.

 In my expierience: rarely. Of course this may depend of where one have
worked etc, but I feel safe to say that even among companies less than a
a percentage do use the macro functionallity, even less the autoexecutes.
 A scripting email being usefull was a news to me, what exactly would the
purpose be? Multimedial emails? I have my doubts.

The only contact with macro programming I've had is consults who use VBA
to access excel/access database (those people really did not know their
bussniess - I had to help them out although I had no prior experience of
VB)...

> 2) it is Microsoft's job : you can't sell a program that removes parts
> that MS considers essential to its eploitation system.

I would, if I was in charge of a company, be ready to pay for software
which identifies possible insecure features (also those related to human
factors such as social engineering, alas disabling hiding of extentions
etc) and offer a) warnings only, b) fixing if user agrees (default) or c)
automatic fixing.

Personly, I would of course like such software free, GPL-ed or something,
but I do think numerous companies would enjoy that feature.

> 3) MS issues patches

I do think AV tools could at least recommend fixes? A simple option
"security analyses" in on of those interactive AV's wouldn't require
overly much code and could easily detect settings commonly exploited by
viruses. And then it could prompt something like "Check microsoft.com for
security updates? [y/n]". If yes, simply send explorer to the correct URL.

> I am sorry, I failed to see where I have "wildly accused" you of
> anything. In any case, accept my apologies for anything that could have
> offended you directly or indirectly.

Oh, you haven't. I was thinking about the trendmicro post which brought up
these threads. Was kinda reading them and then reading your mail ;)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team