On Fri, 23 Jan 2004, Thomas Reinke wrote: > John Lampe wrote: > > On Wed, 21 Jan 2004, Thomas Reinke wrote: > > [snip] > > > > > OK, so you are assuming that > > 1) virus writer will write a variant of bagle and > > 2) variant will have a different logic such that |43 ff ff ff ...| > > actually triggers a 'malicious' action instead of a cleansing action > > 3) The purported logic of the two steps above would be to subvert Nessus > > (and other scanners which cleanse the virus) and trick it into doing something > > malicious (albeit intended by the virus writer). I mean, you do have to > > make the assumption that the virus writer intends for the 'backdoor logic bomb' > > to be triggered, no? > > > > This all begs the questions: > > why would the virus writer not just perform the nasty behavior to begin > > with? > > > > assuming the above can be adequately explained, why would the virus writer > > only target systems scanning with the whacky hex string? why not get more > > bounce for the ounce and trigger on a 'GET /.*' command? I mean, if you > > trigger on GET commands, now you can coerce retina, foundscan, nessus, > > etc. into triggering the logic bomb (presupposing that such a > > coersion is necessary). > > I'm not suggesting that it is highly likely.
Right, I don't think it's highly likely either. IMO, the conditions above would be met by 1) a person who didn't really care for his/her virii to propogate in optimal fashion or 2) a practical joker who is just looking to grind a bone with Nessus Hey, what's that over there? It's our work piling up. John _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
