Slashdot Mirror

← Back to Stories (view on slashdot.org)

LovSan Clone Let Loose

Posted by CowboyNeal on from the coming-around-again dept.

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

3 of 631 comments (clear)

  1. MS Releases Network Scanning Tool by MacrosTheBlack · · Score: 5, Informative

    Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
    Download
    Network admins have fun.

  2. Re: Cloning.. by Satan's+Librarian · · Score: 5, Informative
    Uhm - they've been doing that for years. Early types were called polymorphism, an idea pioneered by the 'Dark Avenger'. Search for "MtE Dark Avenger" on the net. Old stuff.

    Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.

    There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.

    Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....

    There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.

    --
    I write code.
  3. Re: Cloning.. by Doomdark · · Score: 5, Informative
    The French intelligence services work very closely with French businesses.

    And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).

    Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.

    Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).

    --
    I like paying taxes. With them I buy civilization -- Oliver Wendell Holmes