Oliver, This is a decision you have to make on your own, and I think you should be capable of doing so. There are many different opinions on this subject, but IMHO full disclosure is always the best option. There are many stories about bugs reported to Microsoft that weren't fixed or about white hat hackers who are treated disrespectfully by Microsoft. Personnaly I've chosen the Linux path a long while ago, so vulnerabilities in Microsoft code won't affect me. But for the avarage consumer of Windows full disclosure is the best option, because only then Microsoft will be forced to release a patch. Some links: http://www.internetnews.com/dev-news/article.php/1437841 http://online.securityfocus.com/news/238 You should try to find out if there are any legal risks before publishing anything! I'm not a citizen of the US, so I don't have much knowledge about US law, but I remember the Adobe incident with that unfortunate Russian hacker and one can't be to carefull. Good luck, Filip de Waard On Thu, 2003-01-16 at 20:39, Oliver Lavery wrote: > Hello all, > > I believe that I have come up with a new and perhaps more effective > way of creating stealth virii / trojans on Win32. Let's assume > hypothetically that I'm not some loon, and actually have an original and > workable idea. > > Without divulging a dangerous level of information, I will back up > my claim by saying that while working on something unrelated, II realised > that the AppInit_DLLs hook on WinNT platforms is only beginning to be > exploited to it's full potential (I know ElKern uses this hook, sort of). > The potential implication of my idea, I think, is that usermode processes > would have a much harder time detecting my stealth code. > > I was wondering what the general consensus is on what should > ethically be done with information of the sort. The options seem to be: > > 1) Forget about it. > > 2) Develop a proof of concept and release it to select people. > > 3) Develop a proof of concept and release it publically. > > > The first option seems sensible, but my 'xploit was culled from > publically available information, so I imagine it's only a matter of time > until one of the many black-hat sorts in the world figures it out (many of > them are clearly much more clever than I even aspire to be). This wouldn't > be a calamity exactly, but I rather like the idea of helping to prevent a > slew of nastier trojans and worms than the current generation. > > The second option seems sensible, but public disclosure means > publishing to the good guys and the bad guys at the same time. There's > obviously something a bit inherently irresponsible about this, it seems. I > can understand the NTBugtraq people needing to force Microsoft's hand in > publishing patches, but when it comes to virii and trojans, the issue seems > a little different. > > Which leaves the third option sonding best. The problem here is how > one equitably chooses who to release information too. Not to jump to > conclusions, but if a workable exploit can be fixed by a vendor, that vendor > gains a marginal advantage over his competitors. I don't know if the A/V > community behaves this way, the SARC and various other virus databases seem > to indicate otherwise. Still, the A/V companies have always given me the > willies, what with faux scares like Michelangelo and the whole for-profit > thing. > > Any suggestions about what the best way to handle potentially > hazardous thoughts is? > > Cheers, > ~ol >
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 19:04:58 PST