RE: [iwar] As Microsoft .Net develops threats keep pace

From: Junkmail Rosenberger (junkmail@barnowl.com)
Date: 2002-01-11 13:08:06


Return-Path: <sentto-279987-4279-1010783287-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 11 Jan 2002 13:11:07 -0800 (PST)
Received: (qmail 32514 invoked by uid 510); 11 Jan 2002 21:08:22 -0000
Received: from n31.groups.yahoo.com (216.115.96.81) by all.net with SMTP; 11 Jan 2002 21:08:22 -0000
X-eGroups-Return: sentto-279987-4279-1010783287-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.165] by n31.groups.yahoo.com with NNFMP; 11 Jan 2002 21:08:06 -0000
X-Sender: junkmail@barnowl.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-8_0_1_3); 11 Jan 2002 21:08:07 -0000
Received: (qmail 26469 invoked from network); 11 Jan 2002 21:08:06 -0000
Received: from unknown (216.115.97.171) by m11.grp.snv.yahoo.com with QMQP; 11 Jan 2002 21:08:06 -0000
Received: from unknown (HELO server-19.tower-15.messagelabs.com) (63.210.62.243) by mta3.grp.snv.yahoo.com with SMTP; 11 Jan 2002 21:08:05 -0000
X-VirusChecked: Checked
Received: (qmail 17111 invoked from network); 11 Jan 2002 20:56:04 -0000
Received: from nospam.barnowl.com (HELO barnowl.com) (206.72.12.109) by server-19.tower-15.messagelabs.com with SMTP; 11 Jan 2002 20:56:04 -0000
Received: from Office01 (unknown [10.1.1.136]) by barnowl.com (Postfix) with SMTP id 9B8DAED64 for <iwar@yahoogroups.com>; Fri, 11 Jan 2002 15:05:21 -0600 (CST)
To: <iwar@yahoogroups.com>
Message-ID: <NDBBJBDJCGCKGDILPNNEOEAMHEAA.junkmail@barnowl.com>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
In-Reply-To: <OCEDLLJFJEMAFJGHDCLNMEANDBAA.cpreston@gci.net>
From: "Junkmail Rosenberger" <junkmail@barnowl.com>
X-Yahoo-Profile: barnowlcom
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 11 Jan 2002 15:08:06 -0600
Subject: RE: [iwar] As Microsoft .Net develops threats keep pace
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Initial thoughts on the Donut virus:

(1) I'd call it "yet another executable wrapper" before calling it a .Net
virus.  The author went to some rather impressive lengths to envelop a .Net
file within a non-.Net module.  If you can envelop a .ZIP file within a
self-extractor .EXE module, then OF COURSE you can do the same with a .Net
file.

(2)  It appears the author relied heavily on assembler, plus some C code,
plus a token amount of MSIL.  Hence I DISagree on philosophical grounds with
McAfee's assessment that "this is the first virus to make use of Microsoft's
.NET architecture."  I also DISagree on philosophical grounds with
F-Secure's assessment that "it's the first virus of its kind."  HERE COMES
YOUR KILLER QUOTE: It's like using the term "woman" to describe a male
cross-dresser.

(3)  Based on input from two sources (one of them Microsoft), the author
openly admitted the difficulty of writing a true .Net virus.  If such an
admission comes from the mouth of "Benny" of 29/A fame, then I'd take it as
a compliment to .Net's security model.  (I can't say I read Benny's email
because I've got a problem with his damn ".msg" format.)

(4)  The antivirus industry already looks like it will treat this one in a
"matter of fact" fashion.  They'll update their detectors to find Donut and
then the whole thing will blow over.  I predict "the notorious Benny" will
earn a footnote story in every computer security publication and 1-2 fluff
pieces in every technopub (e.g. Virus Bulletin).  Big deal.

CURSORY SUMMARY:
I see nothing truly "new" here.  If we track down the virus expert who first
called this a "proof of concept," I'll lay you odds the guy works for/with
his firm's PR team.  (BOO!  Did I scare ya?)

Rob


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST