|
Posted by B. Nice on August 6, 2006, 10:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
<snip>
>I think you misunderstand the idea of automatic updates, pushing out
>detection methods, etc... The vendors that make software that protect
>your computer create a detection rule that looks for something trying to
>access an exploit,
Fine. Now here are some *facts* for you:
I downloaded the *source code* of Volkers PoC and compiled my own
version. The *only thing* I changed was to point the URL to my own
web-site instead of to Volkers. The rest of the code remained 100%
unchanged.
I ran it - it worked - and my NOD32 anti-virus that would bark heavily
at volkers code kept silent. And so did each and every 27 engines at
virustotal.com when I uploaded it for test. So much for your
"detection rules".
It seems like the only one misunderstanding something here is you.
>or something that uses a code snipped that tries to
>use the exploit - they don't really care about who wrote it or why, just
>that it's a hole, as identified by the community, and should be detected
>because it's not a proper access method.
Who says this particular method is not a proper access method? Do you
have any references that inter-process communication on windows is
improper?
<snip>
>> Your problem is that a windows API function is neither a hole nor an
>> exploit
>> http://en.wikipedia.org/wiki/Exploit_(computer_security)
>
>And your problem is that you don't seem to grasp that it doesn't make a
>difference what it is or what moon it comes from, it's strictly based on
>what it tries to do. If I write program X that makes use of an
>"EXPLOIT" then I'm not coding my program properly and with good security
>in mind, that means my program is making use of the SAME attack method
>as a malware has been shown to use. My program, when accessing the
>exploit, access it the same way that a malware does. It doesn't matter
>if my program produces food for the hungry, gives money to the poor, all
>that matters is that the programs uses a known exploit path, and since
>it does, it should be detected as a threat by all known anti-malware
>tools.
Well, as I explained to you in this specific case, it is'nt detected.
And you continue using the term "exploit" in a wrong way.
| 
