[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Tracking a virus by logging infected machines
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Tracking a virus by logging infected machines
- From: Ralf <ralfml@xxxxxxxxxx>
- Date: Mon, 01 Sep 2003 22:51:03 -0700
Richard M. Smith wrote:
Not that I want to encourage virus writing, but I think it would be very
helpful to gather infection statistics if a virus were to keep a log of
the IP addresses of all the machines it infected. The log could be
appended to the end of the executable file of the virus. Each copy of a
worm or virus would contain a record of one branch of the tree of
infected machines.
I don't have any practical experience in writing viruses (and surely
don't want to) but that's doesn't seem applicable. I'd expect the
infection tree to be much wider than deeper so much not knowledge would
be seen in such the log of a single branch of the tree, except a way to
target the immediate source of infection (and trace back the author?).
Adding the log to the virus itself doesn't seem too viable, especially
as text that could be easily detected by the dumbest AV.
A better way would be to use a trojan that contacts a central server at
some point (like the DDoS trojans do). Then the trojan can send info
about where it is right now and where it comes from so it doesn't need
to keep it's own log. Given the wild imagination of the various viruses
authors around and their number, I'm sure that's already been done.
R/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html