Duane Nickull wrote: > While this is possible, I would argue that it is illogical to write a > virus that way. It has its strengths and weaknesses. The strength is that it lets the malicious payload be much larger than whatever little window the exploit has to squeeze through. The weakness is, as you say, it announces the incoming attack so that methods such as Jimmy's AV product can block it. It is being discussed because (as Jimmy related it) the Blaster worm used this 2-step approach. Conversely, the Slammer/Sapphire worm was a single step, notably doing all of its exploiting and damage in a single UDP datagram of a few hundred bytes. I don't know if AV products have a chance at stopping single-stage worms. I doubt it, but Jimmy is correct when he says I shouldn't talk about that which I don't know, so I'll let him address that question. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Mon Oct 06 2003 - 22:39:24 PDT