Trojan horse Downloader.Generic.ML

Obviously they could come around your house and check. Or they could setup remote cameras/antennas to check. Not exactly cost-effective.

Go and find all the relevant RFCs (NAT, ethernet, wireless bridging) etc and show me how they could detect it? To all intense purposes all the ISP sees is the traffic from ISP Router. (This isn't strictly true of course. BUT routers could obfuscate the client data if need be or you could use local proxies).

In some cases, though, I think certain illegal activities could be traced without much difficulty. My ISP happens to be owned by the telephone company. Take a different kind of case where idiots give away their user name and password to friends. On dialup, there is the correlation to telephone # to work with. And telcos may cooperate with ISPs on this sort of thing in the more general situation.

In my case with DSL service being supplied by, in effect, the telco, I'm not so sure my line and others couldn't be tracked by the telco if I was crazy enough to give away my user name and passwiord ... or if it was a wireless crack that did the evil deed.

I dunno, but it's along these lines that I have in mind ... cooperation betrween telcos and ISPs to track down this sort of crap.

In talking to some young people and listening to their conversations, I get the impression that many don't care one whit about any of this, and all kinds of illegal stuff is going on ... and there is practically no use use made of even the available security measures. If things get bad enough, you can damn betchum there will be crackdowns, in spite of the apparent technical difficulties in finding and booting off these characters :)

Art

i'm wondering how you think they could even detect that... the network traffic that they see will all have the IP address of the router, not the machines connecting to it - and even if they could tell there were multiple machines connecting to a router there's no way to tell what medium was used for the connection...

Art wrote: [snip]

in the case of wireless freeloading it would be as if they were all using the same phone - no help there...

i'm talking about existence - you're talking about prevalence... that is not a useful tangent...

and on this point we diverge again - plain integrity checkers belong to a much broader class of diagnostic tool than anti-virus programs so i have no expectation that they should only take into account those events that anti-virus products are concerned with...

and why would anyone be using *just* an integrity checker?

a clever application of clean booting, backups, and integrity checking would allow one to trace the generation of viral offspring in most cases (the exception being those cases where you cannot coax the 'infected' file to produce offspring)...

whatever - i suspect sophos' success has more to do with the fact that the market treats disinfection like an afterthought - people are far more concerned with prevention and on that criteria sophos compares favourably with the competition...

then it is a) flawed (as overwriting infectors *are* viruses according to just about every definition i've seen other than yours), and b) a non-sequitur (as integrity checkers are for more than just detecting viruses - there's this little thing people sometimes call a payload)...

on top of warhol worms there are also the plain ordinary trojans which are now able to be spread far and wide enough by manual labour as to become a significant enough problem for anti-virus products to change their focus...

overwriters are viruses by cohen's formal *and* informal definitions... if zvi wants to use his own definitions, he's free to do so but the discussion won't go very far...

ugg - pdfs...

how about

------------- In 1984, the first experiments with `Computer Viruses' as we know them today were performed. [1] To quote this paper:

``We define a computer `virus' as a program that can `infect' other programs by modifying them to include a possibly evolved copy of itself.''

These `Viruses' had many implications for integrity maintenance in computer systems, and were shown to be quite dangerous, but their potential for good was also introduced. A practical virus which reduced disk usage in exchange for increased startup time was described, and this technique that is now commonplace in personal computer systems. A formal definition for viruses, which for mathematical reasons encompasses all self-replicating programs and programs that evolve and move through a system or network, was first published in 1985. [4] This encompassed many of the worm programs under the formal umbrella of computer viruses. This work also pointed out the close link between computer viruses and other living systems, and even melded them into a unified mathematical theory of `life' and its relationship to its environment. These experiments were terminated rather forcefully because they were so successful at demonstrating the inadequacy of contemporary computer security techniques, that administrators came to fear the implications.

--------------

The discussion is about plain integrity checkers versus AV adapted integrity checkers/restorers. See Regards, Zvi

-- NetZ Computing Ltd. ISRAEL

You're thinking "inside the box" again. Try using a little imagination and creativity.

For xDSL, high gain rotary antennas at every telco office sweeping a radius of up to four miles ... backed up with digitial cracking sw ... should do the trick very nicely.

In my geographical region where the only ISP offering xDSL is owned by the telco, such monitoring boxes don't seem very far fetched or even very futuristic. They could be produced in volme at relatively low cost. More futuristically and generally, I envision close cooperation between telcos (who have an interest in this as well) and ISPs.

Cable providers will want to jump on this bandwagon as well ... and they will help defray the costs of monitoring in return for the info provided.

Art

Sigh....

How would the Telcos prove that the wireless signal they have found is being used by

a) their customer b) carries internet access on it and c) being used illegally

I have wireless in my house, its has nothing to do with my ISP what I do with my wireless signals, or what my wireless signals carry. Suggesting that ISPs/Telcos have the right to sniff and crack communications is utterly mad.

Not necessarily. I can envision individual line locater technology used by telcos to track down xDSL abusers.

Art

Sigh back :)

By pinpointing (to some extent) their geographical location and doing a bit of detective work.

By the nature of the rf signals, obviously, and packet content once cracked.

See above.

my wireless signals, or what my wireless signals carry.

Not if you're freeloading ISP service. You're safe for now only if you use strong WAP.

utterly mad.

Methinks thou protesteth to much. You must have something to hide.

Art

Hahaha.

Nonsense.

I'm not freeloading anything, my wireless network carries MY network data.

I have *lots* to hide. Obviously you don't. Please post all your personal details, social security, CC numbers, friend details, telephone numbers, passwords, email address onto usenet.

You do have a funny ISP indeed that doesn't require thar a user name and password be sent for email and newsgroup access. With a cracked WEP (or none at all) that's one item of several that can be sniffed.

So you do pay for ISP service then. Splendid :) Many don't. And I'm sure many freeloaders can be found ... and the idiots who give their ISP access away to others.

Art

My wireless network is NOT connected to the internet FULL STOP. No passwords or usernames are sent through the air.

So what? Cracking and sniffing are (in the UK at least) illegal. You think telco are above the law? You think they have a right to go and crack into my network? You think they have the right to the details of my myself and my family? You think they should be allowed to listen to my phone calls, open my mail, come around and plug into my network?

I'm on cable and yes I do pay. Obviously you believe that a minority breaking the law gives companys a legal right to break it as well? Or you believe we should all live in a nanny state?

It all gets added onto the account holder's download limit and they will be charged accordingly.

Over here, most ISP's are moving away from unlimited access accounts. Mine used to be unlimited but now has a cap of 30GB per month though they did offer the sweetener of a 2Mb download speed instead of 1Mb at no extra cost.

There's no way ISP's are going to hack into wireless networks on the off chance of catching a freeloader. They're in the business for the money and any misuse can easily be contained by the application of download limits or surcharging for going over allowed limits.

Jim.

I think you're probably right for once :)

Art

to detect wireless signals (maybe), but not to determine whether the owner of the wireless access point is ok with the connections being made...

of course i'm pretty sure such 'listening posts' will run afoul of some kind of privacy law... i discounted them for precisely that reason...

Being a producer, my focus is on the practical aspects, of course. [...]

I have no interest in general purpose integrity checkers, only in those offered as AV tools, like Integrity Master, which you brought to the discussion. [...]

Where do I claim that anyone should? In case you forgot, the approach that I promote is generics and consists of the use of *multiple* and individually

You are demanding far too much from the common user.

You assume sophistication where there is none. The limited success of Sophos in their local market (UK) is due to concentrating on the corporate niche and not wasting efforts on the consumers market. [...]

An overwriting infector in researchers' terminology, and what you believe they mean by that, are totally different things. To that category (overwriting infectors) belong cavity infectors, like Lehigh (a DOS infector of command.com) and CIH (PE infector). Cavity infectors conform to the definition of "virus" as brought above, to the word. The part of the host file that is overwritten by the virus is an unused section, nothing functional of the pre-infected file is overwritten, and hence, nothing of the original code is lost.

A program that overwrites the host indiscriminately may be called an overwriter, but not infector, maybe a Trojan. Hence, your "overwriting infector" is fiction, no such thing exists.

As to genuine overwriting *infectors*, they respond to the same processing as ordinary parasitic infectors do, i.e. they can be disinfected by cleaner procedures, or generically restored from integrity signature.

Regards, Zvi

-- NetZ Computing Ltd. ISRAEL

these days a threat can go from theoretical to 'practical' in a matter of minutes...

and there have already been data diddlers in the past so i really don't think it's too unlikely that there will be more in the future...

integrity master is an integrity checker with anti-viral applications... it does (did) have a few small features specific to virus detection, but they are not the primary features of the software...

you may not like the way integrity master was designed, but it's not your product and the developer doesn't answer to you...

not "should", "would"... and you described exactly that condition above with "if all that I could use was Stiller's Integrity Master"... that's an entirely arbitrary and artificial circumstance...

but perhaps this is yet another point at which we diverge - as you seem to think a producer should try to provide all the parts to the virus prevention puzzle instead of just doing one thing really well... some of us actually think mixing and matching to get the best performance out of the various technologies available is a good strategy...

i'm not demanding anything... you described what you could (or rather couldn't) do, i described what i could do

it's sophistication for the masses to only care about what the anti-virus media machine tells them to care about? or is it the anti-virus media machine itself that represents the non-existent sophistication?

and corporations are somehow magically easier to dupe into believing the sophos propaganda? sorry, but corporations are run by the same sorts of people that are in the consumer market, they make their decisions in much the same ways except that they choose between corporate products instead of home-user products (usually)... the waving of hands and saying they stuck to the corporate market doesn't explain *why* people choose them over the alternatives when the alternatives offer something they don't...

yours is the only definition i've seen that requires the original host's functionality be left intact... why i, or anyone else, should choose to use your definition over that of, say fred cohen, is beyond me (except from a producer's point of view i suppose it makes the virus problem statement easier to cope with when the definition of virus is changed to exclude the problem areas)...