Okay everyone, let's take a break from the keyboard, have an adult beverage
of your choice and remind ourselves of the PURPOSE of this list...
Sharing of information...
The "Have you ever coded an exploit?" and "My ____ is bigger than your ____"
attitude doesn't serve to IMPROVE our profession. IF someone really is
clueless in their response(s), why not include some data/proof to back up
the argument that they are wrong? This way everyone gets a little education
in the process and at the very least gets to see a different point of view
or approach to achieving their objective.
My .02,
Chad
-----Original Message-----
From: Faas M. Mathiasen [mailto:faas.m.mathiasen@googlemail.com]
Sent: Thursday, February 21, 2008 5:50 AM
To: Peter Kosinar
Cc: incidents@securityfocus.com
Subject: Re: Possible Mail server compromise ?
Dear Peter,
Wrong
Have you ever coded an exploit ?
On Thu, Feb 21, 2008 at 12:07 AM, Peter Kosinar <goober@ksp.sk> wrote:
Nope, you have to distinguish between a sandbox (code is run) to an AV
> scanner scanning code in a VM, when the av scanner scans the code, the
> code is not executed and cannot decide whether it is inside a VM =)
Wrong. This would be true only if the AV didn't have the parsing bug in
the first place. If the AV is buggy and allows some form of arbitrary
code
execution, the attacker -does- have the code executed inside the VM; and
nothing stands in his way of detecting whether it's a real machine or
not.
If, on the other hand, the AV was not vulnerable... then, what would be
the gain of running it inside a VM? :-)
Peter
--
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
