[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: virus killers?

On Sun, Oct 13, 2002 at 10:44:47PM +0200, Kjetil Kjernsmo wrote:

> I have to admit that I've had a different view of the whole virus thing. I've 
> used that view frequently when I rant about how bad windoze is, so if I'm 
> totally off here, I would be nice to be told so by friends...:
> 
> I mean, whatever viruses can exploit to propagate has to be a huge
> security hole, right? 

If you're concerned only with the propagation of the virus/worm/etc then
you are mostly right.  It takes all kinds.  A seemingly secure system
may still potentially be used to infect other systems.

> So, the problem can't really be the virus, but rather the 
> security hole that the virus is allowed to exploit, and virus scanners 
> purpose seems mainly to look for signs of exploits of known holes. 

Not really.  Perhaps you have an infected file in an archive, on a
system that is impervious to infection by the infected file.  Then this
archive is moved to another system that it can infect.  Use of a
periodic virus scan most likely would have located and nullified the
potential for problem.

TMK, a virus scanner doesn't look for "signs of exploits" but rather
signatures of reported viruses.  Additionally, some some scanners (like
the current version of clamav, soon to be added to Debian) are
potentially able to locate mutated versions of a known strain.

> They have to be known, otherwise you wouldn't know what to look for. 

See above

> So, instead of patching the hole, the "get the latest
> definition"-paradigm tries to identify exploits of those holes. 

It is but one layer, by itself not a complete solution.

> Imagineably, you could do the same thing as the virus, but silently
> and more directed, so that the anti-virus companies that produce
> definitions never hear about it and never respond to it, and the
> victim never notice (and don't notice e.g. a data theft, and don't
> notify their definition provider).

Sure, and this does happen, but as with most things, automation and
scripting has been applied.

> So, what role does the definitions play for a well-patched and well
> maintained system, other than identifying that something is going on? 

Helping to ensure that data stored isn't infected.  I for one don't like
the prospect of passing on an infected file to someone else, regardless
of whether my system(s) was effected by it.

> Are there unpatchable, intrinsic design flaws that could be exploited
> by viruses? If so, what is it that prevents exploits by anybody?

I don't know that I would say "unpatchable", but I'm sure that somewhere
there is a flaw that a virus can exploit.  Why would one want to remove
a possible line of defense against a given exploit?  For example, lets
say that for some reason an exploit is found and it will take a few
hours or days to patch.  Meanwhile, the signature of the exploit is
already known.  In one case it requires someone to write a patch to
resolve the exploit, then for the effected sysadmin(s) to acquire and
apply said patch, after becoming aware of it's existence.  On the other,
it simply requires the signature of the exploit to be added to a
database, which in many cases is automatically updated.  Looks like a
potentially significant difference in resolution time to me.  Sure, the
patch is ultimately better, but the scanner signature definition can
help.

-- 
Jamin W. Collins
Reply to: