I have been getting a lot of flames and veiled threats from individuals and "virus researchers" for posting the code yesterday. There seems to be a lot of misinformation going around so I wanted to clarify the situation. These people are all producing the same arguments: 1. "Posting the source allows someone to know how to write a Macro virus" Yes, and anyone of the 100,000 or more people who got the virus the other day can buy VB and do File->Open and see the source. Repeat after me: "Word macros are INTERPRETED". All symbol information is present. No decompilation necessary. 2. "By reformatting the source, you have created a new variant" What? Your virus scanner could be thwarted by adding whitespace? Someone has a problem but it isn't me. Perhaps you'd best learn from the sandbox mechanisms of Java or virus scanners like F-PROT. A virus is not a virus because it has the string "By 3le3t3 DudEZ" followed by three tabs. It is a virus because it does things like update Normal.dot. Repeat after me: "Pattern matching alone does not a virus scanner make". Just as in the recent thread about security scanners doing version-checking instead of exploiting a hole, the best answer is to use a combination of techniques to identify flaws or malicious code and then notify the user of any uncertainties in the detection mechanism. A perfect parallel to this is the Internet worm. We were reminded of that time as we paused the Exchange SMTP service to keep the program from spreading. Also, it was important to quickly analyze the program, making sure it did nothing malicious like mailing a person's files to another location. After doing this, I believed the code itself would help others do the same if they needed to. An important note is that the Symantec and McAfee web pages describing the virus both left out important information (for instance, avertlabs.com neglected to mention the active document and Normal.dot file infection). If I had made any mistakes in my analysis, another could have determined this for himself. A good reference is the paper "With Microscope and Tweezers, An Analysis of the Internet Worm" by Mark Eichin and Jon Rochlis. It can be found at: http://www.mit.edu:8001/people/eichin/www/virus/main.html In short, this is the same full disclosure vs. security through obscurity debate. Make your own decision what is appropriate; my mind has been made up in regards to this for at least a decade. Viruses tend to be uninventive and boring. This one was extremely unsophisticated, exploited no new holes, and required user carelessness to spread. I only got involved because I had to help fend off the nuisance Friday. I hope everyone found the postings useful and will demand better virus protection than string matching from their virus scanner vendor as well as request that Microsoft add more virus prevention than "enable macros? yes/no" and disallow macros from doing things like sending mail or writing to files without notice to the user. -Nate
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:40:45 PDT