Focus on Virus
It will work? an idea Apr 24 2011 08:36AM
learnmsfre gmail com (3 replies)
RE: It will work? an idea Apr 28 2011 06:32AM
IT_H_Security (IT_H_Security MahindraSatyamBPO com) (1 replies)
Re: It will work? an idea Apr 28 2011 09:07AM
Vivek P Nair (iamherevivek gmail com)
Hi Umar
Hellow all....

Hi Everyone!

Interesting Idea indeed! .. There are a few concern areas when you start building the application.. read inline please..

I have an idea to share with you guys to know whether it can be
implemented or not?
Idea is, people write exploits for discovered public vulnerabilities,
and infect target system which is not yet patched. If vendor release
patch and client install released vendor patch or third party, then
exploit is outdated for that particular system. And we can write more
than one exploit for single vulnerability.

You are correct with the idea that there can be more than 1 vector at the exploit code level or even at the attack vector stage, but creating a zero day exploit prevention using this single vulnerability and few known exploits will take considerable human effort, I am not aware of an automated system that could enumerate a zero day from a known exploit / vulnerability. So, mm.... it is people and skillset intensive, do you intend to spend that much time and effort on every exploit that surfaces :) !! What is your take on this point?

Everybody use MS Office, Adobe Acrobat, and we have a finite number of vulnerabilities in these
two software, and a number of exploits can be written based on these
public vulnerabilities.

Well, yes there are many many of them.. you can create the list of bugs and gather POC expolit code using an automated crawler cum parser, that is the easy part. What about enumerating the variants for each of them? How do u see that coming? What will be the approach. My first though goes at creating a sandbox and use custom made code to try and extrapolate the exploit code that has surfaced with the POC, published over the internet. There are predictable list of ways one cold execute an exploit a bug aka vulnerability, I need to take a look at it in detail to suggest some automation in this area.

So, idea is to develop an open source HIDS that
defeat vulnerabilities based exploits. Initial focus is on MS Office,
Adobe Acrobat because these are commonly used software and if we are
able to defeat client side attacks targeting these two software, it
would be a remarkable achievement and this HIDS would benefit community
by protecting client side attacks in these commonly used software. So:

Well, creating a signature set to identify these exploits and associated activities is a bit of a work, but can easily be created, the HIDS is a nice approach to it. What is the kind of sensors that you think you would use.. I like the idea as such. Do let me know what is your research like.. Are you planning to go somewhere with this or just a piece of your thought, that you are sharing with us.

1- It will benefit community?

Yes it will positively benefit the community and the community will be definitely a good factor to push the development of such a solution provided there are some real interested project owners.

2- To what level idea is practical?

I would say the practicality of this project is 40% - 75% ( I know it is a wide estimate), depending on the areas that you choose to enter into at first, create a feasibility study to use existing frameworks to create a backbone to your HIDS, add the exploit intelligence modult to it slowly and steadily once you build, test and package.

My 2 cents
deadbrain..

My crime that of curiousity, I am a hacker & this is my manifesto..

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]
RE: It will work? an idea Apr 26 2011 05:11PM
Omar Salvador Alcalá Ruiz (oalcala scitum com mx) (1 replies)
Re: It will work? an idea Apr 27 2011 10:27AM
Alex Vargas (vargasa gmail com)
Re: It will work? an idea Apr 26 2011 12:07PM
Nick FitzGerald (nick virus-l demon co uk)


 

Privacy Statement
Copyright 2010, SecurityFocus