Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 020230.html (Request Expert securityfocus.com Support)

Re: MD5 Exploit Database?

From: Bruce P. Burrell <bpb(at)umich.edu>
Date: Wed Feb 05 2003 - 15:40:56 EST


In Forensics Digest 5 Issue 204, Barry Irwin <bvi@itouchlabs.com> writes:

> In essence what is needed is sone kind of reliable signature as used by

   Or not so slightly.

> but still retains an identifyable bit pattern.

   Sad to say, this is not always so: some viruses are extremely polymorphic, and their maps require algorithmic techniques.

> Maybe some infpor on the guys in AV labs on how to best look for this?

   Hey, why not just use an antivirus scanner on the image? I'd recommend using a "paranoid" scan, though, so that nothing it _can_ recognize is missed. [One can use grep to get rid of the false positives, at least with the scanner I use.]

   Moreover, it's easy to keep these tools updated... in other words, no extra effort need be expended by *us*. :-)

Do you need help?X

   [I really doubt that the AV folks are going to make the details of their scanner algorithms -- after all, that's their bread and butter. And using Open AntiVirus doesn't really solve the problem -- that detects only about 17% of the known malware out there, as I recall. [Of course, the 17% it *does* detect probably is more likely to be viruses one would expect to see -- but viruses aren't the main concern, I suspect: it's the OTHER malware that concerns us here.]

> Failing that, it shouldnt be too difficult to concoct a tool that can

   In other words, use well chosen heuristics. Yes, indeed, but it's better to use that only after exact identification has been used by a current, top quality scanner.

   -BPB University of Michigan...
  AntiVirus Team Leader <http://www.umich.edu/~virus-busters/>   Data Recovery Team Leader <http://www.umich.edu/~wwwitd/data-recovery/> PGP 2.6.2 key fingerprint: 0D A5 98 3C 91 DA E0 DD 9C 6D FA 8F 4D 34 95 ED


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Feb 6 14:29:40 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library