Skip navigation.
Home

dannyquist's blog

Would You Like a Virus with that?

McDonald's gave away MP3 players loaded with a little more than music on them. It appears that they came preloaded with a QQPass variant as well. Anyone have a copy different than our archives?

Gizmodo Story detailing the event

Determining Physical Offsets from Virtual Addresses in PE Files

While writing some PE analysis code I needed to calculate the actual physical offset in a PE file for a given RVA (relative virtual address). Looking around on the Internet it was non-obvious. The Metasploit Framework's msfpescan was actually the most help. I've ported it to Ero Carrera's pefile module and attached the patch to this post. Pefile is a Python module that I highly recommend.

Read more for the simple technique.

Consumer Reports AV Scandal

Consumer Reports recently conducted a test of the major anti-virus software on the market. Instead of using the known malware, they went a step further and modified the viruses slightly to test the detection rates. The AV market didn't do very well, as expected. The problem is the subsequent backlash by the AV industry.

Igor Muttik posted on McAfee's blog about the perceived inappropriate behavior. His argument is that you should not make new malware under any circumstances. It's been fairly well known in the research community that simple modifications to a virus, such as changing the nop instructions, are enough to fool most of the major vendors. The test that was conducted by Avi Rubin's company is what actual virus writers would perform. This test is fair and accurate in my view.

The truth of the matter is that AV does not perform as well as it should. Consumer Reports is doing the right thing by benchmarking these software under real world conditions.

Impending MS06-040 Worm? Don't Panic

With the release of the first unauthenticated remote executable exploit in a couple of years, many in the press have taken to predicting that a new worm is on the horizon. No doubt the AV companies are all prepared to disassemble, analyze, and most importantly name the new worm.

There are some things that will limit the effects of this worm. First, under XP Service Pack 2 it is widely thought that the only effect will be a denial of service attack. Where the real threat occurs is under previous service packs and older versions of Windows. Microsoft is probably the only one to comment on the percentage of Windows 2000/XP SP1 vs. XP SP2 machines available. Given my impression of organizations we have dealt with, the SP2 install set has been widely adopted.

Given all these issues, it's probably not worth getting too riled up about. Some events that should get your attention are if a reliable XP SP2 exploit payload is released, or there are a lot of non SP2 systems on your network. If the latter is the case, it's probably time to get with the program and upgrade. Don't bank on a reliable exploit not being released. Many smart people are thinking very hard about how to make this happen.

Syndicate content