PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Some ideaz about future worm



rhythm
22.07.2004, 18:43
hey! bezüglich der windows/linux virescanner-diskussion (http://www.unixboard.de/vb3/showthread.php?p=66550), dachte ich, dieser artikel von dem 29A-member Benny regt doch in gewisser weise zum nachdenken an... enjoy!

ciao, rhythm


Some ideaz about future worm by Benny/29A:

One day, when I was thinking about my future projectz I sudenly remembered
some idea I heard somewhere, some yearz ago... I advanced it and even when
I haven't finished the worm using these ideaz (anyway, I have the main part
already finished), I want to share them with you... the real reason why I
don't have any worm is becoz the spreading mechanism dependz on some
buffer-overflow bug of new versionz of IIS and/or Outlook that will allow to
execute arbitrary code on remote machine. And becoz there's no such bug
found, I have to wait for that (then I will finish it)...:-P


Construction of unremovable worm
..................................

My idea soundz for the first sight very weirdly. The problem of all wormz
is (suprisely) their PRESENCE at the computer. If some worm is stored
somewhere on the disk, in the memory, operating system, ... it can be alwayz
found by scanner just becoz the worm is there... and the other side of the
coin, it can be also removed when it is found. how to avoid the detection and
remove capabilitiez of AV scannerz? Simply - avoid the presence of the worm at
the computer ;-)

How? There exist two areaz where the worm can be stored - disk and memory.
And AV scannerz know that and their functionality dependz on these conditionz.

So, the worm


(1) should not be stored at any file on the disk.

(2) should be stored in some process'es memory (e.g. the shell,
explorer.exe), but not longer than necessary - spread_and_quit
algorithm. it is very important to clean the memory when the worm
quitz, so the worm will be really vanished.

(3) should be able to spread without any help of user, using exploitz of
some Internet service that will allow to remotely execute the worm-code.

(4) should be fast-spreading - it should be able to (very fast) find all
buggy Internet servicez and infiltrate them in a very short time.

(5) should be morphed on every generation, using some external metamorphic
engine (my BME32 or MDriller's MetaPHOR, for instance).

(6) XXX (described below)



Removement of the unremovable worm
....................................

Well, the biggest benefit followz - in fact, the only place where the worm will
be stored is CABLE that connectz computerz in network. Becoz of fast spreading
capabilitiez and code metamorphism, it won't be able to catch and stop it with
some ordinal AV. Worm would spread on until ALL buggy Internet servicez at ALL
to-Internet-connected serverz would be patched.

But can you imagine that EVERY server on Internet will be correctly patched, in
a short time? It's impossible! So, if the only place where the worm is stored
are CABLES (microwave connectorz, satelite recieverz, telephone linez etc...)
the only way how to stop such worm without patching ALL systemz would be then
DISCONNECT *ALL* BUGGY COMPUTERZ FROM THE INTERNET !!!

You can see that both of those 2 only wayz are unrealisable. And I have to
mention that if the worm would use some very spreaded-out bug, it would cause
the collapse of the world-wide network (the wanted side effect of the worm)!
I'm sure, that if the spreading algorithm would be advanced later, this worm
could cause a REAL harm.



XXX bonus
...........

Perhaps, the alternative way how to STOP such virus would be paradoxly to
create a new virus, with one addition (but I doubt AVerz would be allowed to do
it ;-); one module that will - after successful infection - patch buggy system
and so close the opened door. Is it science fiction? You decide...

tsuribito
22.07.2004, 23:35
Das S auf seiner Tastatur scheint kaputt zu sein.
Warum müssen die sich eigentlich immer so lächerlich machen?