On Thu, 7 Jun 2001, Ari Weisz-Koves wrote:
> The reason I see to be scared is that suddenly the mainstream operating
> system used by the least cautious people around, with the best
> application/os integration providing the easiest trojan methods will by
> default be able to be used for packet forging attacks.
It really isn't that big of a deal, there are already enough trojaned
Win9x clients out there that even using real addresses doesn't make it
easy to stop them.
> Correct me if I'm wrong with the details, but with Windows 95/98/NT/2000
> wouldn't the trojan would have to figure out the network interfaces, install
> a packet driver, reboot the system then run itself again to begin the
> attack? Sure, someone out there is probably good enough to write this, but
MOre than "someone," it's not that difficult a task. The interface is in
a registry key. rebooting is simple, and there are *lots* of ways to
ensure that your code gets called again after reboot.
> the majority of vicious virus-writing pranksters wouldn't have the skills to
If you mean "Generated by VBSWG" pranksters, yes, if you mean "Actual
virus authors" then I think you _seriously_ underestimate them. Because
of the haitus of executable viruses while the bad guys were learning about
Win32 programming, there's been a comfort level that's been pretty high-
macro detection is almost 100% these days, and VBS worms tend to be kit
generated and the only thing that gets through is newer versions of the
kit for the most part. That's currently changing, and we're starting to
see more .exe code. Those tend to have to be caught one by one, unlike
the kit-generated stuff.
> write one in a way that wouldn't suspiciously reboot the system or show up
> in some blaring obvious way to the end user. Isn't this just above the skill
> level of the majority of virus writers? If the interface is already
> installed and easily usable through the standard APIs on the os, isn't the
> danger that it just makes it too accessible to those who might want to cause
> such damage?
Look at the auto-updating, plug-in using, trusted signed code only trojans
currently floating around, then think about the skillset needed to add a
packet driver and stick around for a reboot.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
