Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] We got owned by the Chinese and didn't even get a "lessons learned"
From: Joanna Rutkowska (joannainvisiblethings.org)
Date: Wed May 24 2006 - 11:03:03 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Nicolas RUFF wrote:
>> So, I'm quite curious what kind of (mature) products we have today to
>> detect advanced malware on Windows/x86-32 platform? Only please do not
>> mention hidden files, registry and process detectors (and not even try
>> thinking about signature detectors)... Anybody? (this is not a
>> rhetorical question, I really am curious!)
> Well, this is an interesting question indeed.
> From the sample we got, there are 2 things to notice :
> - The eggdrop part won't run if you do not have administrative rights on
> your computer (because it is trying to create a "c:\~.exe" file).
Oh, come on! And what if the malware exploits some kernel bug (we all
have seen several such bugs last year, haven't we)? Obviously running as
privilege user will not help in this case (although it's a very good
> - It won't run either if you have no "c:" drive on your computer (same
Again, this doesn't solve the problem of more advanced malware (see e.g.
my black hat federal presentation).
> From my experience, those 2 security features may block more than 99.9%
> of "DownloadToFile" viruses. So we are safe ... for now !
But we're not talking about blocking 'DownloadToFile viruses', we're
talking about protecting sensitive (government, corporate) networks
against sophisticated targeted attacks...
What we really need (IMO) is a good *detection* to complement our
protection (NX/DEP, ASLR, Patch Guard on x64, etc), which is quite
advanced, but as life shows, still not 100% proof.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----