FromTheRafters wrote:
> "Dustin"<bughunter.dustin@gmail.com> wrote in message
> news:Xns9F79E70342F2FHHI2948AJD832@no...
>> "FromTheRafters"<erratic.howard@gmail.com> wrote in
>> news:j6td40$86m$1@dont-email.me:
>>
>>> LoJack for Laptops comes closer to being a virus than does Mebromi.
>>
>> They're about the same. The same technology. However, atleast with
>> lojack they have bios vendor support and cooperation so aren't reduced
>> to including 3rd party utility to flash one style of BIOS only.
>
> I was looking at it more from a computer science angle. If the persistence
> module contains the modified MBR code (and overwrites the MBR if it is
> found to be unmodfied), and the MBR supports the agent, and the agent
> (perhaps through a network resource) can detect that the BIOS has been
> unmodified (flashed without the LoJack code) and it can reflash the BIOS,
> it appears to me that it qualifies as a virus.
>
> The computer science virus definition makes no restriction on how the
> process plays out, only the result is important. Mebromi doesn't have
> that two-way guardian aspect - it only flashes the BIOS during the
> installation and it is thereafter un-guarded. So Lojack comes closer,
> and in fact may even qualify as a virus.
>
>> Membromi is a compilation of tools and a bit of coding, but generally
>> trojan.. asshat level work.
>>
>>> I think that soon there will be a virus that infects the BIOS and
>>> have always thought so, but it may not behave like your typical
>>> malware virus.
>>
>> I would be inclined to agree. However, the viral code must replicate.
>>Persistance alone doesn't qualify.
>
> Right, but do you see where I'm coming from where viral code is the
> means for the implementation of the persistence? Two "programs"
> (BIOS routine, MBR/code in partiton gaps/agent/network) that
> are basically looking for infection markers and re-infecting if found
> missing. The only thing missing is the obvious spreading (lack of
> sneakernet vector for BIOS and harddrives) which isn't really a
> requirement for a virus in the comp-sci arena - it is only required
> that it doesn't overwrite its parent.
>
>>> Those security specialists should explain to me how Mebromi
>>> qualifies as a virus. While it is a PE file infector, I don't see
>>> any recursive replication
>>> going on overall. Before any discussion with them, I'd have to
>>> ascertain whether or not they subscribe to the "all worms are
>>> viruses" idea - and *then* ask them to explain how Mebromi even
>>> qualifies as a worm once that idea is despensed with.
>>
>> It's not a file infector.
>
> It's not a file infecting virus, but it does infect PE files according to the
> write-up. The infection is not aimed at replication, but is only a means
> of attaching to the startup axis without using the registry I think.
>
>> The modified files will not "spread" code to
>> other files. It's modifying two PE files to ensure it gets an
>> opportunity to startup another module included with it.
>
> Yes, so I take it you refuse to adopt the idea that "infection" can be used
> to mean that particular type of file modification even if it is not viral?
>
> That's okay, as long as I remember your take on it.
>
> BTW, I found this about droppers, it appears that I have used older
> terminology than you have on this one.
>
> "A Dropper is a standalone program that drops a virus to a system.
> Usually a dropper for a file virus is a very small program (a few bytes)
> infected by a virus.
>
> A dropper for a boot virus is usually a program that writes the image
> of a boot sector virus stored inside it to a hard or floppy drive.
>
> Virus droppers are no longer widespread as malware with the same
> capabilities integrated are becoming more common. Malicious
> programs with dropper-like capabilities are now identified as
> Trojan-Droppers.."
>
> http://www.f-secure.com/v-descs/other_w32_dropper.shtml
>
> and this
> "A DROPPER is a program that has been designed or modified to "install" a
> virus onto the target system. The virus code is usually contained in a
> dropper in such a way that it won't be detected by virus scanners that
> normally detect that virus (i.e., the dropper program is not *infected*
> with the virus). While quite uncommon, a few droppers have been
> discovered. A dropper is effectively a Trojan Horse (see B3) whose
> payload is installing a virus infection. A dropper which installs a
> virus only in memory (without infecting anything on the disk) is
> sometimes called an "injector"."
>
> http://stason.org/TULARC/security/co...ter-virus.html
>
> They seem to agree with my view that a zeroth iteration virus is actually a
> dropper.
>
> Unfortunately, these two are opposed on the idea that a virally "infected" file
> is a dropper.
>
> [...]
You are *SO* clever! :-)
Reply With Quote