On Wed, 21 Jan 2004, Thomas Reinke wrote:
[snip]
OK, so you are assuming that 1) virus writer will write a variant of bagle and 2) variant will have a different logic such that |43 ff ff ff ...| actually triggers a 'malicious' action instead of a cleansing action 3) The purported logic of the two steps above would be to subvert Nessus (and other scanners which cleanse the virus) and trick it into doing something malicious (albeit intended by the virus writer). I mean, you do have to make the assumption that the virus writer intends for the 'backdoor logic bomb' to be triggered, no?
This all begs the questions: why would the virus writer not just perform the nasty behavior to begin with?
assuming the above can be adequately explained, why would the virus writer only target systems scanning with the whacky hex string? why not get more bounce for the ounce and trigger on a 'GET /.*' command? I mean, if you trigger on GET commands, now you can coerce retina, foundscan, nessus, etc. into triggering the logic bomb (presupposing that such a coersion is necessary).
I'm not suggesting that it is highly likely. However, I think it is VERY different to be sending the hex string to the virus to deactivate, than it is to send a GET string to a web server that has the possibility of being subverted. In one case, you are knowingly excercising code that you are pretty sure is untrusted and not authorized to be on the system. In the other, you are excercising code that you expect is operating correctly. This makes these two examples VERY different.
I didn't see a decent response to my counter example previously. What is the difference between sending a command to a virus that you expect will disable it, and sending a "rm" command to an installed backdoor to remove a previously discovered virus file that you found on the system? Contrary to previous postings, BOTH involve the sending of "disabling" command, BOTH send the command to code that shouldn't be on the system in the first place, BOTH have the expected action of removing malware, and BOTH are inconsistent with Nessus' previous philosophy of detection only, as opposed to detection and remediation (not withstanding win_trinoo.nasl). Yet, there seems to be consensus that leveraging a command shell is a *BAD THING*, but that leveraging Bagle's command is acceptable.
For the record, the only counter argument (which btw I mentioned as a possibility in the first message of this thread) is that there currently is no way of detecting ONLY - the removal command is the only way of detecting the virus right now. But ... given the way the comments have been going, I question whether or not that is a fact, or simply a matter of convenience, i.e. would someone with access to the virus be able to quickly whip up an alternative and just haven't bothered, or is there really no alternative that is easily available.
Thomas
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
