Home > IT, Security > eEye and malware?

eEye and malware?

January 7th, 2008 Leave a comment Go to comments

First off... I wasn't dead... I took some holidays around Christmas and went up north to visit the family... Two weeks and I spent less than an hour in total touching a computer... it was great.

Anyways, I'm back and I looked at my bloglines, well over 2000 articles to read... I skimmed a few but basically just ignored them all (in IT/IS news really does change that quickly)...

One blog post that did catch my attention was Kurt Wismer's post over at Anti-Virus Rants.

Background: In 2005, two eEye researchers presented BootRoot, a PoC boot sector-based NDIS backdoor.  Much of this PoC code is now being seen in an 'in-the-wild' attack.

So Kurt dislikes the fact that the eEye team released a PoC... apparently it is irresponsible and fundamentally wrong. I have to say I fully disagree with Kurt. The PoC has been modified, which means the individual knew what they were doing to some extent and simply reused code... on top of this, the research was published over 2 years ago... in 2 years, someone should have been able to develop a defense against this... instead people chose to ignore it.

I have to ask you this Kurt... How do you feel about the following:

All of the above either release proof of concepts, or discuss them... Are you against all of these as well? Should we boycott OWASP because they have PoC demo's of various web-based attacks? Should we ignore the legit uses of Metasploit because of the malicious users?

Take a look at the talks given at BlackHat 2005. A large number of them contain information that, at the time, could give attackers the upper hand... So why pick on eEye, two years after the fact... just because someone decided to reuse some code from their Poc?

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. kurt wismer
    January 8th, 2008 at 07:58 | #1
    Reply | Quote

    a) this the first mention i’ve seen of it being modified (perhaps i haven’t read the articles closely enough), but even so the fact that they armed the bad guys is beyond question… being modified doesn’t change where it originally came form…
    b) who says defenses weren’t developed? cross-view diff works on it, signatures were added to scanners ages ago, but none of that necessarily means it can’t still get into the wild – unfortunately malware just isn’t that cut and dried (or were you perhaps thinking that after 20+ years someone should have figured out how to make boot sector malware impossible?)

    as for most of the rest of your arguments, if we were talking about an exploit your arguments would have some weight, but we’re talking about malware… please tell me you can distinguish between malware research issues and vulnerability research issues…

    i’ve said it before and i’ll say it again, people who are supposed to be anti-X shouldn’t go around making new Xes… regardless of the intentions, it contributes to the problem, and making them freely downloadable by anyone compounds that effect…

    and the reason i’m picking on them now is because i became aware of it now… if i’d been aware of it in 2005 i would have said something then and then when i said they were arming the bad guys it would have seemed far fetched and hypothetical instead of patently obvious as it now is…

  2. kurt wismer
    January 8th, 2008 at 15:50 | #2
    Reply | Quote

    just to confirm, you’re right about this being a modification of the original bootroot… it wasn’t all that clear in the prevx blog post and i didn’t bother reading the gmer page at first because the prevx page was plenty detailed already but the gmer page does make it clear that it’s a modified version of bootroot and there have been a few additional blog posts that also make it clear that it’s a modification of bootroot…

    that said, i stand by the rest of what i said, including the part about eeye arming the bad guys… it doesn’t matter that the bad guys may have figured out how to do it on their own eventually, eeye could and should have done more to make sure they had no part in helping the bad guys…

  3. kurt wismer
    January 19th, 2009 at 14:20 | #3
    Reply | Quote

    a) this the first mention i've seen of it being modified (perhaps i haven't read the articles closely enough), but even so the fact that they armed the bad guys is beyond question… being modified doesn't change where it originally came form…
    b) who says defenses weren't developed? cross-view diff works on it, signatures were added to scanners ages ago, but none of that necessarily means it can't still get into the wild – unfortunately malware just isn't that cut and dried (or were you perhaps thinking that after 20 years someone should have figured out how to make boot sector malware impossible?)

    as for most of the rest of your arguments, if we were talking about an exploit your arguments would have some weight, but we're talking about malware… please tell me you can distinguish between malware research issues and vulnerability research issues…

    i've said it before and i'll say it again, people who are supposed to be anti-X shouldn't go around making new Xes… regardless of the intentions, it contributes to the problem, and making them freely downloadable by anyone compounds that effect…

    and the reason i'm picking on them now is because i became aware of it now… if i'd been aware of it in 2005 i would have said something then and then when i said they were arming the bad guys it would have seemed far fetched and hypothetical instead of patently obvious as it now is…

  1. No trackbacks yet.