Malware "best practices"

Ben Scott dragonhawk at gmail.com
Wed Jul 26 21:00:01 EDT 2006


On 7/26/06, bmcculley at rcn.com <bmcculley at rcn.com> wrote:
> This is good for simple malware, but new technologies are
> introducing new features that can be used in new and
> interesting ways.

  As I said, there's still an arms race, but it's pretty easy to keep
up with this one.

> If you haven't previously seen the details of the MySpace worm that shut down their
> site last Oct, read http://namb.la/popular/tech.html ...

  I would hardly call that a "new" attack.  Cross-site scripting
attacks have been around for *years*.  It's just MySpace is a very
popular site, with a particularly incompetent design.  (Kinda like
Microsoft Windows. (Ha ha, only serious.))  Which is not to say such
things aren't dangerous -- they are.  But they're a different thing
from malware that's running outside the browser sandbox on the local
computer.

  The MySpace "worm" does highlight something important: Programmers
keep making the same stupid mistakes, over and over and over and over
and over again.

  Now, one can make the argument that running allowing arbitrary
scripts to run, even in a sandbox, is still inherently dangerous.
Why?  Because programmers keep making the same stupid mistakes over
and over again.  So we know the sandbox will have holes.  Exposures
could thus be exploited to, say, grab confidential files.  You don't
need to install code outside the browser to do that.

  But, for that matter, you don't need to stick with scripting.  A
buffer overflow in an HTML engine gets you the same, or more.

  This is why, for situations where security really matters, the
standard practice is to just not allow an Internet connection.  That
is commonly done, even in the private sector, for places particularly
concerned about security.  I'd hate to think what DTVZ thinks about
*those* places.  ;-)

-- Ben



More information about the gnhlug-discuss mailing list