codybear
11-09-2000, 03:45 AM
Companies can indeed learn from the recent Microsoft hacker incident, but
not from reading much of the press coverage. Most of the press and
industry have questioned Microsoft on its security practices and mention
that Microsoft's anti-virus software would have detected the QAZ Trojan
had its anti-virus software been kept up to date. Their advice to other
companies was to "update your anti-virus software." This is the
traditional advice given, but in fact is terribly misleading and gives
companies a false sense of security because it implies that once companies
update their anti-virus scanner, they can rest at ease from known Trojans.
The media has completely missed the point that it's trivial to pass known
Trojans through anti-virus software using compression tools (or "packers").
We'd be shocked if the hacker who sent QAZ Trojan to Microsoft had NOT
compressed (or uncompressed) the file to change its signature, thus creating
a new "variant". Every decent hacker has several compressors in their arsenal
for this very purpose. Unlike the WinZip utility, these Win32 packers
PERMANENTLY compress executable files by up to 50% -- and those programs run
at that size -- they do NOT uncompress to run. Once compressed, any known
Trojan will pass undetected through anti-virus software -- EVERY time.
(Hackers know this well and scoff at anti-virus security.) Unfortunately,
most companies are completely unaware that this is even possible.
The original QAZ Trojan was compressed using UPX - the source is readily
available for download on many hacking sites. It is most likely that the
Russian hackers simply uncompressed QAZ and recompressed it with another
"packer". These techniques were used to create the popular PrettyPark and
MiniZip worms during the past year. Uncompressing programs and/or
re-compressing them with different packer tools is an easy and common way to
create a new variant.
not from reading much of the press coverage. Most of the press and
industry have questioned Microsoft on its security practices and mention
that Microsoft's anti-virus software would have detected the QAZ Trojan
had its anti-virus software been kept up to date. Their advice to other
companies was to "update your anti-virus software." This is the
traditional advice given, but in fact is terribly misleading and gives
companies a false sense of security because it implies that once companies
update their anti-virus scanner, they can rest at ease from known Trojans.
The media has completely missed the point that it's trivial to pass known
Trojans through anti-virus software using compression tools (or "packers").
We'd be shocked if the hacker who sent QAZ Trojan to Microsoft had NOT
compressed (or uncompressed) the file to change its signature, thus creating
a new "variant". Every decent hacker has several compressors in their arsenal
for this very purpose. Unlike the WinZip utility, these Win32 packers
PERMANENTLY compress executable files by up to 50% -- and those programs run
at that size -- they do NOT uncompress to run. Once compressed, any known
Trojan will pass undetected through anti-virus software -- EVERY time.
(Hackers know this well and scoff at anti-virus security.) Unfortunately,
most companies are completely unaware that this is even possible.
The original QAZ Trojan was compressed using UPX - the source is readily
available for download on many hacking sites. It is most likely that the
Russian hackers simply uncompressed QAZ and recompressed it with another
"packer". These techniques were used to create the popular PrettyPark and
MiniZip worms during the past year. Uncompressing programs and/or
re-compressing them with different packer tools is an easy and common way to
create a new variant.