Do you think I have a virus? Probably not.

[Dustin]

You are either very knowledgeable about viruses, or you're making this
shiite up.

It's the first one, actually. Google cavity infector and companion virus.

Do you have any references to this? Or is it based on your experience
as some sort of white hat uber-hacker?

See above...

 

[Peter]

Well I stand corrected--you are knowledgeable about viruses. But I
would imagine that a cavity infector would still fail a FastSum
checksum analysis, which looks at more than just the number of bytes.

***
True, but historically, with very simple checksum algorithms, some
viruses were able to use padding to match them.
http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_2.html
***

But then wouldn't the virus have to target specific programs with
'know' weak checksum algorithms?

 

[FromTheRafters]

But then wouldn't the virus have to target specific programs with
'know' weak checksum algorithms?

It is not generally a good idea to have the algorithm as part of the program
it hopes to protect.

I suppose it could refuse to infect those systems whose integrity checking
program generated checksums which it was unable to match. You're right
though, it wouldn't be *easy*. A properly implemented integrity checker (or
change detection) program is a *very* good defense against further spreading
of a virus you are already executing on the system.

This may interest you:

http://www.people.frisk-software.com/~bontchev/papers/attacks.html

 

[RayLopez99]

This may interest you:

http://www.people.frisk-software.com/~bontchev/papers/attacks.html

From the link: 'Remember: the only 100% foolproof anti–stealth
technique is to cold booting the computer from a non–infected write–
protected system diskette, to ensure that no virus is present in
memory. '

Wow. Does anybody really do this? I've never heard of this being
done. Does Norton, Symantec, etc even have such an option?

RL

 

[FromTheRafters]

This may interest you:

http://www.people.frisk-software.com/~bontchev/papers/attacks.html

From the link: 'Remember: the only 100% foolproof anti–stealth
technique is to cold booting the computer from a non–infected write–
protected system diskette, to ensure that no virus is present in
memory. '

Wow. Does anybody really do this?

***
Everybody that does malware removal for others *should* be doing this.
Working on a live infection can be like a dog chasing its tail. Some even
suggest swapping out the harddrive to a known clean surrogate computer and
scanning the drive with *that* system to avoid any possibility of malicious
code interfering with the process.

Some malware is really easy to remove, and it is not even necessary to
"clean boot" - so, it depends on what you are dealing with.
***

I've never heard of this being done. Does Norton, Symantec, etc even have
such an option?

***
They *all* have rescue disks as far as I know, some require or suggest that
the user create one when first executing the AV program. There is also a
create boot disk suggestion when completing the install of most OSes.
***

 

[David H. Lipman]

From: "RayLopez99" <[email protected]>

| On Oct 20, 3:37 pm, "FromTheRafters" <erratic @nomail.afraid.org>
| wrote:


| From the link: 'Remember: the only 100% foolproof anti–stealth
| technique is to cold booting the computer from a non–infected write–
| protected system diskette, to ensure that no virus is present in
| memory. '

| Wow. Does anybody really do this? I've never heard of this being
| done. Does Norton, Symantec, etc even have such an option?

Some provide an ISO image where you can burn a bootable CDROM.

 

[Peter]

From the link: 'Remember: the only 100% foolproof anti=3Fstealth
technique is to cold booting the computer from a non=3Finfected write=3F
protected system diskette, to ensure that no virus is present in
memory. '

Wow. Does anybody really do this? I've never heard of this being
done. Does Norton, Symantec, etc even have such an option?

RL

I do have a Kaspersky rescut cd-rom which runs a linux O/S and can
download an updated virus database for its AV software. However, I've
only used it on a couple of occasions and found that it wasn't always
able to connect to the internet to update.

Only really used when can't pull the HD, ie on some laptops.

 

[Sjouke Burry]

From the link: 'Remember: the only 100% foolproof anti–stealth
technique is to cold booting the computer from a non–infected write–
protected system diskette, to ensure that no virus is present in
memory. '

Wow. Does anybody really do this? I've never heard of this being
done. Does Norton, Symantec, etc even have such an option?

RL

You can build your own xp cd with bartpe cd builder(need the original
xp install cd or files), link:> http://www.nu2.nu/pebuilder/



Also the Hiren bootcd dowload:>> http://www.hirensbootcd.net/

 

[Dustin]

You can build your own xp cd with bartpe cd builder(need the original
xp install cd or files), link:> http://www.nu2.nu/pebuilder/



Also the Hiren bootcd dowload:>> http://www.hirensbootcd.net/

Yea, just be careful trying to boot a machine running ati drivers if
you have plainjane xp with sp3 on it. <G> You might very well meet a
consistent bluescreen. heh

 

[Sjouke Burry]

Yea, just be careful trying to boot a machine running ati drivers if
you have plainjane xp with sp3 on it. <G> You might very well meet a
consistent bluescreen. heh

Both cd's run as stand-alone xp system, not needing drive C, and contain
a host of support software for repair.

 

[Dustin]

Both cd's run as stand-alone xp system, not needing drive C, and
contain a host of support software for repair.

I know what the bart disc does, thanks. I've been using it awhile
myself. It still tries to load drivers for some things; and if you
prepped it using an sp3 cdrom with some ati video cards on a machine,
it will bluescreen and crashout instead of booting into the bart gui.
It's a video driver issue. You can always make your bart disc, and just
force it to boot into vga mode if you encounter the problem. I was just
trying to provide you a heads up.