[Dshield] MyDoom-A/B

jayjwa jayjwa at atr2.ath.cx
Wed Feb 4 00:41:15 GMT 2004



On Tue, 3 Feb 2004, Lauro, John wrote:

> > To my knowlege, no virus has yet to sucessfully receive instructions
> from
> > another virus designed to allow that virus to better spread.
> Viruses, for
> > all their mystery, are only programs, not living, reasoning things.
> While
> > it may be technically possible for a virus to search out its
> environment
> > and  interact with another virus already installed (or even
> rootkit?)
> > there to further its own infections, this approach to replication
> would
> > involve significate amounts of AI, and in doing so would result in a
> very
> > large and unwieldy virus better suited for POC code than an actual,
> > in-the-wild intended virus.
>
> It doesn't take much for a virus to leave a backdoor open ready to
> receive commands.  Often rooted boxes have their machines tie into IRC
> ready to listen to commands, just being zombies in wait.  There really
> isn't anything that magically about it, or requiring anything as
> complicated as requiring significant amounts of AI, or even for one
> virus to replace another virus with itself.

This is not one virus interacting with another, which is more what I was
getting at. The above example is Virus A place backdoor on host. Period.
That's the last that Virus A knows about the situation. But... if Virus A
didn't have the ability to backdoor hosts, but rather sought out MyDoomA
because MyDoomA (or another virus w/ BD ability) _has_ backdooring code,
at which time Virus A accuired the code from the other virus to further
enhance itself. This would be an example of reasoning because: 1) Virus A
came to the conclusion that it was lacking a BD component, and thus was
possibly not meeting its creator's intended goals (assuming this was
originally a goal of the virus's creator) . 2) knew of a target system
which may be able to satisfy its request, 3) was able to interact
with the target to produce beneficial results for Virus A (itself).
This is the kind of activity that I was refering to, not simply a virus
compromising a system to the point of it being more easily exploitable in
the future by any other malicious entity.


[jayjwa]RLF#37





More information about the list mailing list