Vulnerability Development mailing list archives
Re: New worm?
From: thierry () WAATLEEFT LU (Thierry Zoller)
Date: Thu, 13 Apr 2000 19:04:28 +0200
Dimitry Andric wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2000-05-11 at 10:57 Dan Schrader wrote:A number of ISPs (US West, Sprint, British Telecom to name a few) are now offering virus scanning as a value added service. This allows them to differentiate themselves and generate added revenues. Users seem to like the feature.I can understand that users like to feel safe and cosy, and are ready to pay for it, but how can you offer any guarantee that these users will not be affected by the latest permutation of, say, LoveLetter.* ? It is impossible to detect new viruses which are not yet in your database, and heuristics will of course only work to a limited extent.
Nope it's not impossible, proof http://www.tlsecurity.net/cleaner/scriptguard.htm This is a _Generic_ Script Protector, it get's all variants of Loveletter and (probably) all coming vbs,hta worms as it does NOT rely on Fingerprints. Heuristics work pretty good for VBS scripts as the supposed "malicious" commands are static. Perhaps one could code an algorithm obscuring the commands and thus escaping Scriptguard, but this has not been made (yet) Thierry Zoller
So if you offer a guarantee, then you might be sued by users who become infected even after using your scanning service. On the other hand, if you don't offer any guarantee, what is your scanner service worth then? To me, it would then seem of no use at all, except for draining customer's pockets. Cheers, - -- Dimitry Andric <dim () xs4all nl> PGP key: http://www.xs4all.nl/~dim/dim.asc KeyID: 4096/1024-0x2E2096A3 Fingerprint: 7AB4 62D2 CE35 FC6D 4239 4FCD B05E A30A 2E20 96A3 -----BEGIN PGP SIGNATURE----- Version: Encrypted with PGP Plugin for Calypso Comment: http://www.gn.apc.org/duncan/stoa_cover.htm iQA/AwUBORv30rBeowouIJajEQIyYQCg1QIMWGlzOQPxi4yngG1tKGzmxIMAoNgf bjvEi0P6HCb/MJRvmyloLTgf =Ai3b -----END PGP SIGNATURE-----
Current thread:
- Re: New worm? Greene, Patrick (May 04)
- <Possible follow-ups>
- Re: New worm? Jim Swanson (May 04)
- Re: New worm? Matthew R. Potter (May 04)
- Re: New worm? Bluefish (May 05)
- Re: New worm? Matthew R. Potter (May 04)
- Re: New worm? mick chang (May 04)
- Re: New worm? Rich Corbett (May 04)
- Re: New worm? Edwin Concepcion (May 04)
- Re: New worm? Todd C. Campbell (May 10)
- Re: New worm? Dan Schrader (May 11)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Thierry Zoller (Apr 13)
- ScriptGuard Crispin Cowan (May 16)
- Re: ScriptGuard Thierry Zoller (Mar 16)
- Re: ScriptGuard Tim Wort (May 16)
- Re: ScriptGuard Chon-Chon Tang (May 16)
- warftpd exploit? Martin Ixter (May 16)
- Re: New worm? Dimitry Andric (May 12)
- Re: New worm? Bernie Cosell (May 12)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator (fwd) Bluefish (May 13)