Bill Frantz wrote:
My favorite virtual machine use is for the virus to install itself as a virtual machine, and run the OS in the virtual machine. This technique should be really good for hiding from virus scanners.
re: http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus software imminent http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus software imminent i commented on that in reference posts mentioning that there have been uses of virtual machines to study virus/trojans ... but that some of the new generation virus/trojans are now looking to see if they are running in virtual machine (studied?). some of the current trade-off is whether that virtual machine technology can be used to partition off basically insecure operations (which are widely recognized as being easy to compromise) and then completely discard the environment and rebuild from scratch after every session (sort of the automated equivalent of having to manually wipe an infected machine and re-install from scratch). the counter argument is that crooks can possibly also use similar technology to hide ... once they have infected the machine. the current issue is that a lot of the antivirus/scanning techniques are becoming obsolete w/o the attackers even leveraging virtual machine technology. The attackers can leverage the technology in an otherwise poorly defended machine. Some years ago there was a product claiming that it could operate even at a public access machine because of their completeness of their antivirus countermeasures ... even on an infected machine. I raised the issue that it would be trivial to defeat all such countermeasures using virtual machine technology. Somewhat of a skirmish resulted since they had never considered (or heard of) virtual machine technology ... for all i know there is still ongoing head-in-the-sand situation. for little topic drift ... this blog entry: https://financialcryptography.com/mt/archives/000991.html and http://www.garlic.com/~lynn/aadsm28.htm#3 http://www.garlic.com/~lynn/aadsm28.htm#5 there is some assertion that the crooks overwhelming the defenders countermeasures because they are operating significantly faster and more efficiently. however, another interpretation is that the defenders have chosen extremely poor position to defend ... and are therefor at enormous disadvantage. it may be necessary to change the paradigm (and/or find the high ground) in order to successfully defend. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE