Dailydave mailing list archives

Re: We got owned by the Chinese and didn't even get a "lessons learned"


From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Wed, 24 May 2006 18:03:03 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolas RUFF wrote:
So, I'm quite curious what kind of (mature) products we have today to
detect advanced malware on Windows/x86-32 platform? Only please do not
mention hidden files, registry and process detectors (and not even try
thinking about signature detectors)... Anybody? (this is not a
rhetorical question, I really am curious!)

Well, this is an interesting question indeed.
From the sample we got, there are 2 things to notice :

- The eggdrop part won't run if you do not have administrative rights on
your computer (because it is trying to create a "c:\~.exe" file).

Oh, come on! And what if the malware exploits some kernel bug (we all
have seen several such bugs last year, haven't we)? Obviously running as
privilege user will not help in this case (although it's a very good
idea indeed).

- It won't run either if you have no "c:" drive on your computer (same
reason).

Again, this doesn't solve the problem of more advanced malware (see e.g.
 my black hat federal presentation).

From my experience, those 2 security features may block more than 99.9%
of "DownloadToFile" viruses. So we are safe ... for now !


But we're not talking about blocking 'DownloadToFile viruses', we're
talking about protecting sensitive (government, corporate) networks
against sophisticated targeted attacks...

What we really need (IMO) is a good *detection* to complement our
protection (NX/DEP, ASLR, Patch Guard on x64, etc), which is quite
advanced, but as life shows, still not 100% proof.

joanna.

-----BEGIN PGP SIGNATURE-----

iD8DBQFEdIO1ORdkotfEW84RAjZlAKCN4IHqgj6d9h4Lb0UmIoObdWL4VQCgzN3N
1vNSRNMpdF7yU5AEXQ0GMOM=
=5Gg7
-----END PGP SIGNATURE-----


Current thread: