EICAR... my friend!

  • Thread starter Arnold McDonald \(AMcD\)
  • Start date
F

FromTheRafters

Arnold McDonald (AMcD) said:
Hi all.

Do you like EICAR :blush:)?

http://arnold.mcdonald.free.fr/indexArticles.html
Click to expand...

I await the "forthcoming" articles...looks interesting.
....but in light of,

===
Informations given here are not free of rights! No part of this site
shall be reproduced, translated, adapted, stored or transmitted in
any form or by any means without my authorization.
===

....should I get your permission before caching pages?

I may already have stored a local copy of some of your pages...sorry.
 
A

Arnold McDonald \(AMcD\)

FromTheRafters said:
===
Informations given here are not free of rights! No part of this site
shall be reproduced, translated, adapted, stored or transmitted in
any form or by any means without my authorization.
===

...should I get your permission before caching pages?
Click to expand...

Well, I don't see the word "cached"... ;o)

--
AMcD

http://arnold.mcdonald.free.fr/
(still in fossilization progress but now in english, thus the whole
world can see my laziness)
 
B

Bart Bailey

Hi all.

Do you like EICAR :blush:)?

http://arnold.mcdonald.free.fr/indexArticles.html
Click to expand...

I found the debut article on EICAR to be very interesting.
I'm not an ASM coder, so much of the coding detail flew over my head,
but the concept was appreciated.
I'm somewhat confused by Fred Bonroy lending his imprimatur to anything
that discusses infection procedures, when he very recently came out in
support of suppressing such information.

Bart
 
A

Arnold McDonald \(AMcD\)

Bart said:
I found the debut article on EICAR to be very interesting.
I'm not an ASM coder, so much of the coding detail flew over my head,
but the concept was appreciated.
Thx.

I'm somewhat confused by Fred Bonroy lending his imprimatur to
anything that discusses infection procedures, when he very recently
came out in support of suppressing such information.
Click to expand...

He charged me $10.000 :blush:)

--
AMcD

http://arnold.mcdonald.free.fr/
(still in fossilization progress but now in english, thus the whole
world can see my laziness)
 
B

Bart Bailey

You misunderestimated me. ;-)

I doubt that the virus described in the article will do much harm,
and it's for, uh, "educational purposes".
Click to expand...

....and the UoC isn't in involved just such an endeavor,
"educational purposes", that is?

At least Fridrik's product fared better than the others <g>

Bart
 
F

Frederic Bonroy

Bart said:
...and the UoC isn't in involved just such an endeavor,
"educational purposes", that is?
Click to expand...

I doubt that they are going to write overwriting .com viruses only,
especially if they "infect" only files names goat.com in the current
directory.
 
F

Frederic Bonroy

Nick said:
Your rights disclaimer is abject, unenforceable gibberish (mind you,
the latter is not surprising given the quality of understanding shown
in the EICAR page itself...).
Click to expand...

Hehe, I suppose I was right to warn Arnold that messing with EICAR
was going to attract harsh criticism. :)

I can't speak for him but I think the article enquires more than it
states, so it's meant to be explorative rather than authoritative.
It's an interesting analysis of how AV programs react. Given the
constraints imposed by the definition of the EICAR, it may not make
sense to conduct such an analysis from the *scientific* point of
view but it's surely interesting for us, the "populace".

This said, without knowing to which parts of the article you object
to and why I cannot really agree or disagree with you. Would you
mind elaborating?
 
A

Arnold McDonald \(AMcD\)

Nick said:
As if further proof of his stupidity were need, "Arnold McDonald
(AMcD)" saw fit to scrawl:


How do you cache a web page without also "storing" it?

Then, once you work that one out, please explain how anyone would be
able to view said web page without having it "transmitted" over the
network to the machine running their browser.
Click to expand...

It's just that I planed to offer some other material on this site : articles
and tutorials or software; from me, but also from mates. You know what real
life is: copycats everywhere. So, I chose to write a disclaimer. A clumsy
one? Sorry. I'll add some points.
And don't even get me started on the legal nuances that can be
encompassed under "reproduced"...
Click to expand...

I won't.
Your rights disclaimer is abject, unenforceable gibberish (mind you,
the latter is not surprising given the quality of understanding shown
in the EICAR page itself...).
Click to expand...

Ow! Coarseness now... Maybe the disclaimer is clumsy, I'll correct it, but
it's not a reason to insult me. Just a bit of courtesy man! A learned and
eminent specialist like you should understand the title: "Let's have
fun...". If the quality is poor why don't you tell me why? Perhaps you
didn't understand the object of the text?

Above all, just remenber one thing: I don't care what rude people think of
me!

Kindest regards,

--
AMcD

http://arnold.mcdonald.free.fr/
(still in fossilization progress but now in english, thus the whole
world can see my laziness)
 
B

Bart Bailey

all things considered, you *could* inspire the next 'he who can't be
named'... i think he used a similar justification for some of his work...
Click to expand...

Speaking of the ineffable one,
Whatever happened to him?

Last I heard he was just up the coast from here.

Bart
 
F

Frederic Bonroy

kurt said:
all things considered, you *could* inspire the next 'he who can't be
named'... i think he used a similar justification for some of his work...
Click to expand...

Well, let me be clear. I think that it is absolutely unacceptable
to conduct detection tests with virus simulators.

But it can also be interesting to see how scanners react to virus
simulators just out of curiosity. The problem arises when you start
to draw conclusions about a scanner's virus detection performance
from tests conducted with virus simulators. Such conclusions would
obiously be invalid most of the time.

One could argue that the program that overwrites goat.com is not
a real virus (it does replicate, but the replicated goat.com won't
replicate again and simply overwrite itself). But if you change
goat.com to *.com it will become a real virus.
 
F

Frederic Bonroy

Bart said:
This open examination of AV scanning vulnerabilities is indeed a service
to the whole internet community that may have to rely on such
applications, and there can never be too much light shone on these
topics, despite your reservations.
Click to expand...

Yes and no. As I said, this particular program is rather harmless and
doesn't really threaten world peace. I am aware that there is a very
remote possibility of it being used maliciously and admittedly at
first I felt somewhat uneasy about the source appearing in the article.
But then, think pragmatically: what damage is an overwriting .com virus
going to cause, and how many Visual Basic hAcK3rZ are capable of
obtaining and using an assembler and linker?
So I won't really lose sleep over the publication of *this particular*
piece.

It's different when you develop highly sophisticated viruses that
exploit flaws in AV software and make them available to anyone who
wants them.
Note that I wrote "and". There is nothing wrong with exploiting
flaws in AV software provided you discuss it in a circle of absolutely
trustworthy people only and duly inform the developer.
You don't really think someone will make the necessary sacrifices to
attend Uni to merely write malware do you, how will they feed their
family?
Click to expand...

No. But not all university students are angels. Some could use the
knowledge they casually acquire in these courses maliciously.
 
D

Damn Straight

and how many Visual Basic hAcK3rZ are capable of
obtaining
Click to expand...

Maybe http://biw.rult.at/index.php?page=tools has what they need
and using an assembler and linker?
Click to expand...

Anyone that can google up and understand info like this:

xor ax,ax
mov al,2Eh
out 70h,al
in al,71h
xchg ch,al
mov al,2Fh

and read any of the online tutorials about getting from ring3 to ring0

It's different when you develop highly sophisticated viruses that
exploit flaws in AV software and make them available to anyone who
wants them.
Note that I wrote "and". There is nothing wrong with exploiting
flaws in AV software provided you discuss it in a circle of absolutely
trustworthy people only and duly inform the developer.
Click to expand...

If you discuss it with anyone, you're contributing to the knowledge
base, and the more people involved, the greater the odds of it reaching
a less than trustworthy individual.
Where do you draw the cutoff line on those odds?
No. But not all university students are angels. Some could use the
knowledge they casually acquire in these courses maliciously.
Click to expand...

But of course all readers of this newsgroup are as chaste as the driven
snow, and would never misuse anything linked to from here <g>
 
F

Frederic Bonroy

Damn Straight wrote:

Anyone that can google up and understand info like this:

xor ax,ax
mov al,2Eh
out 70h,al
in al,71h
xchg ch,al
mov al,2Fh

and read any of the online tutorials about getting from ring3 to ring0
Click to expand...

People who understand infos like this and tutorials about getting
from ring3 to ring0 are capable of creating their own viruses and
certainly do not need someone else to provide them with the source
of an overwriting .com virus.
If you discuss it with anyone, you're contributing to the knowledge
base, and the more people involved, the greater the odds of it reaching
a less than trustworthy individual.
Where do you draw the cutoff line on those odds?
Click to expand...

It happened to me once. I discovered a flaw in some virus scanners
(nothing spectacular actually, virus writers knew about it long
before). I discussed it with a few people and informed one of
the scanner developers (who acknowledged the problem but wasn't overly
concerned).

Basically I think you can discuss it with anyone you deem trustworthy,
"trustworthy" implying that they won't pass it on to others who are
less trustworthy.
But of course all readers of this newsgroup are as chaste as the driven
snow, and would never misuse anything linked to from here <g>
Click to expand...

Again: this overwriting .com virus is silly. It's not dangerous.
 
A

Arnold McDonald \(AMcD\)

Frederic said:
People who understand infos like this and tutorials about getting
from ring3 to ring0 are capable of creating their own viruses and
certainly do not need someone else to provide them with the source
of an overwriting .com virus.
Absolutely.

Again: this overwriting .com virus is silly. It's not dangerous.
Click to expand...

Exactly. I chose an overwriter just because the simplicity. This kind of
malware is known for ages now and I thought AVs were aware of these
antiquities!

IMHO, the debate about publication of malware is sterile. Terrorists and
criminals doesn't respect laws and everyone can get very destructive code
with google. You just need a few seconds and 3 clicks. Of course, we I don't
intend to give people bad ideas! But I claim for an absolute freedom of
publication. It's just my own belief, I don't say I'm right.

You know, cars are not designed to kill people or loot banks. Some stupid
people use cars to do that. You won't stop human stupidity just with
restrictive laws, you just get freedom of expression blocked.

--
AMcD

http://arnold.mcdonald.free.fr/
(still in fossilization progress but now in english, thus the whole
world can see my laziness)
 
B

Bart Bailey

Of course, we I don't
intend to give people bad ideas! But I claim for an absolute freedom of
publication. It's just my own belief, I don't say I'm right.
Click to expand...

You're as right as you can justify yourself to be,
and when it comes to the freedom to express ideas,
that's at the intrinsic core of all other freedoms.
You won't stop human stupidity just with
restrictive laws, you just get freedom of expression blocked.
Click to expand...

That's why Fred's inconsistent stance is so baffling, he's willing to
allow, even endorse, your expression of an idea with illustrative
examples, yet rails against the same principle of infective coding
techniques being displayed at the university level, which I would
proffer to be a much more sterile venue than the world wide web.

Again, it's an interesting article, and I hope you allow your creative
talents to flourish with more such analytical treatments in the future.

Bart
 
A

Arnold McDonald \(AMcD\)

Bart said:
Again, it's an interesting article, and I hope you allow your creative
talents to flourish with more such analytical treatments in the
future.
Click to expand...

No problem. The next one is in progress. But I'm slow, very slow ;o(.

--
AMcD

http://arnold.mcdonald.free.fr/
(still in fossilization progress but now in english, thus the whole
world can see my laziness)
 
F

FromTheRafters

Frederic Bonroy said:
Hehe, I suppose I was right to warn Arnold that messing with EICAR
was going to attract harsh criticism. :)

I can't speak for him but I think the article enquires more than it
states, so it's meant to be explorative rather than authoritative.
It's an interesting analysis of how AV programs react. Given the
constraints imposed by the definition of the EICAR, it may not make
sense to conduct such an analysis from the *scientific* point of
view but it's surely interesting for us, the "populace".
Click to expand...

I found it interesting, but pointless. The purpose of the
test file is entirely different from the purpose of testing
with real virus samples.

I was sincere in stating my interest in further exercises.

....as for the disclaimer, even WebTV violates it. ;o)
 
K

kurt wismer

Bart said:
Speaking of the ineffable one,
Whatever happened to him?

Last I heard he was just up the coast from here.
Click to expand...

SHHH!

bart, be careful... if you speak of the devil, he shall appear...

personally, i don't care what happened to him... it's folks like him
that drive away folks like iolo davidson...
 
K

kurt wismer

Frederic said:
kurt wismer wrote:




Well, let me be clear. I think that it is absolutely unacceptable
to conduct detection tests with virus simulators.

But it can also be interesting to see how scanners react to virus
simulators just out of curiosity. The problem arises when you start
to draw conclusions about a scanner's virus detection performance
from tests conducted with virus simulators. Such conclusions would
obiously be invalid most of the time.
Click to expand...

how quickly we forget, the simulators were only 1 of his sins... i'm
referring to the real (though severly retarded) viruses he made and
peddled under the guise of safe viruses... they were originally add-ons
to his basic simulator package that folks could by from him, but
eventually he rolled it into the main package and in so doing got turfed
from simtel because of f-prot's distribution constraints...
One could argue that the program that overwrites goat.com is not
a real virus (it does replicate, but the replicated goat.com won't
replicate again and simply overwrite itself). But if you change
goat.com to *.com it will become a real virus.
Click to expand...

the very same thing was said of the items to which i've referred above...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Looking For Anti-Virus Test 12
Avast vs. AVG and Zip files 2
BitDefender disinfection failed, Why? 2
Submitting files to online scanners - a warning 9
"Throw me down the stairs my shoes" — Quiz 16
Ultimate layered defence - overkill but works 9
Scrabble Value calculation for Welsh words 0
Getting Scared Here.... 3

Top