RE: [Asrg] Viruses

Barry Shein <bzs@world.std.com> Tue, 01 July 2003 17:49 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA09133 for <asrg-archive@odin.ietf.org>; Tue, 1 Jul 2003 13:49:14 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5PNRAu04682 for asrg-archive@odin.ietf.org; Wed, 25 Jun 2003 19:27:10 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VJfS-0001DR-Ro for asrg-web-archive@optimus.ietf.org; Wed, 25 Jun 2003 19:27:10 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA11185; Wed, 25 Jun 2003 19:27:06 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19VJfQ-0002AU-00; Wed, 25 Jun 2003 19:27:09 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19VJfL-0002AO-00; Wed, 25 Jun 2003 19:27:03 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VJfJ-00017Q-CU; Wed, 25 Jun 2003 19:27:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VJeM-00013q-W9 for asrg@optimus.ietf.org; Wed, 25 Jun 2003 19:26:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA10948 for <asrg@ietf.org>; Wed, 25 Jun 2003 19:21:30 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19VJa0-00026o-00 for asrg@ietf.org; Wed, 25 Jun 2003 19:21:32 -0400
Received: from pcls2.std.com ([199.172.62.104] helo=TheWorld.com) by ietf-mx with esmtp (Exim 4.12) id 19VJZp-00026l-00 for asrg@ietf.org; Wed, 25 Jun 2003 19:21:21 -0400
Received: from world.std.com (root@world-f.std.com [199.172.62.5]) by TheWorld.com (8.12.8p1/8.12.8) with ESMTP id h5PNLG87009996 for <asrg@ietf.org>; Wed, 25 Jun 2003 19:21:16 -0400
Received: (from bzs@localhost) by world.std.com (8.9.3/8.9.3) id TAA17728; Wed, 25 Jun 2003 19:21:16 -0400 (EDT)
From: Barry Shein <bzs@world.std.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <16122.11883.895518.586214@world.std.com>
To: asrg@ietf.org
Subject: RE: [Asrg] Viruses
In-Reply-To: <2A1D4C86842EE14CA9BC80474919782E0D228C@mou1wnexm02.verisign.com>
References: <2A1D4C86842EE14CA9BC80474919782E0D228C@mou1wnexm02.verisign.com>
X-Mailer: VM 7.07 under Emacs 21.2.2
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 25 Jun 2003 19:21:15 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

On June 25, 2003 at 12:49 pbaker@verisign.com (Hallam-Baker, Phillip) wrote:
 > > I guess you can claim that if you dismiss any vulnerability 
 > > as an "odd serious 
 > > bug".

To my mind there's a difference between, say, a sendmail vulnerability
which is discovered and a patch issued within hours and a virus which
can infect Windows95/98/NT/XP/2000/ME and probably other versions
which are releases spanning several years. See:

  http://www.symantec.com/avcenter/venc/data/pf/backdoor.jeem.html

I realize you want to defend MS for some reason and just launch into
this sports-team bar babble retort like we're arguing about who was
the best pitcher.

But I maintain with complete professional objectivity that there are
serious flaws inherent in Windows OS design which allow a virus such
as Jeem to infect several generations of Windows OS at a deep, system
level. 

Jeem, as a case in point:

      Copies itself to the system directory

      Adds a new registry key causing it to auto-start on boot

and seems to do all this without any special system privileges.

Now, without invoking how "some other OS is worse in your opinion",
and accepting that this sort of thing (and exactly this also) seems to
be a major vector in the spam problem, tell me how this happens across
at least six major releases.

I mean I want to know what technical flaws it exploits and why those
flaws are present and available across all six OS releases (by "why" I
don't mean philosophical "why", I mean what purpose this flaw serves
or why it hasn't been fixed or has it?)

For example, is it a FEATURE of all mentioned windows OS's that any
non-privileged program can add new .EXE files to the system directory
and modify the registry such that those newly added programs autostart
on boot?

Or is it a BUG which was exploited? And if it's a BUG is it odd that
the same bug exists across all those releases, has it been known
previously, why hasn't it been fixed in, apparently, over 7 years
(Windows95 ... XP.)

Try to remain technical and on point, and please try to avoid
sophistry.

I really believe we are nearing the actual heart of the spam problem.


-- 
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg