What to do with a vulerability?

From: Oliver Lavery (oliver.laveryat_private)
Date: Thu Jan 16 2003 - 11:39:33 PST

Next message: Discussion Lists: "Ltrace for windows?"

Previous message: master_modaat_private: "An exercise to exploit IIS ISAPI filter"
Next in thread: Blue Boar: "Re: What to do with a vulerability?"
Reply: Blue Boar: "Re: What to do with a vulerability?"
Reply: Filip de Waard: "Re: What to do with a vulerability?"
Reply: The Blueberry: "Re: What to do with a vulerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all,

	I believe that I have come up with a new and perhaps more effective
way of creating stealth virii / trojans on Win32. Let's assume
hypothetically that I'm not some loon, and actually have an original and
workable idea.

	Without divulging a dangerous level of information, I will back up
my claim by saying that while working on something unrelated, II realised
that the AppInit_DLLs hook on WinNT platforms is only beginning to be
exploited to it's full potential (I know ElKern uses this hook, sort of).
The potential implication of my idea, I think, is that usermode processes
would have a much harder time detecting my stealth code.

	I was wondering what the general consensus is on what should
ethically be done with information of the sort. The options seem to be:

1) Forget about it.

2) Develop a proof of concept and release it to select people.

3) Develop a proof of concept and release it publically.


	The first option seems sensible, but my 'xploit was culled from
publically available information, so I imagine it's only a matter of time
until one of the many black-hat sorts in the world figures it out (many of
them are clearly much more clever than I even aspire to be). This wouldn't
be a calamity exactly, but I rather like the idea of helping to prevent a
slew of nastier trojans and worms than the current generation.

	The second option seems sensible, but public disclosure means
publishing to the good guys and the bad guys at the same time. There's
obviously something a bit inherently irresponsible about this, it seems. I
can understand the NTBugtraq people needing to force Microsoft's hand in
publishing patches, but when it comes to virii and trojans, the issue seems
a little different.

	Which leaves the third option sonding best. The problem here is how
one equitably chooses who to release information too. Not to jump to
conclusions, but if a workable exploit can be fixed by a vendor, that vendor
gains a marginal advantage over his competitors. I don't know if the A/V
community behaves this way, the SARC and various other virus databases seem
to indicate otherwise. Still, the A/V companies have always given me the
willies, what with faux scares like Michelangelo and the whole for-profit
thing.

	Any suggestions about what the best way to handle potentially
hazardous thoughts is?

Cheers,
~ol

Next message: Discussion Lists: "Ltrace for windows?"
Previous message: master_modaat_private: "An exercise to exploit IIS ISAPI filter"
Next in thread: Blue Boar: "Re: What to do with a vulerability?"
Reply: Blue Boar: "Re: What to do with a vulerability?"
Reply: Filip de Waard: "Re: What to do with a vulerability?"
Reply: The Blueberry: "Re: What to do with a vulerability?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 12:51:38 PST