| Rich Freeman on 5 Oct 2012 14:27:29 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Detecting SQL injection viruses |
On Fri, Oct 5, 2012 at 4:20 PM, Eric H. Johnson <ejohnson@camalytics.com> wrote: > > What I recall reading about this is that they work by downloading an > encrypted payload with a random key, which defeats pattern matching. The key > is relatively short, so it has to guess keys until it gets it, at which > point it can then infect the machine. Sounds like a standard stealth virus, except that it has to guess the key. The solution is what is normally done - don't target the payload, target the decryption routine. Polymorphism no doubt hinders this, but somebody will eventually figure out how to pick it up. So, is this just an executable that people are running? Either people are running an executable, or some local app has a vulnerability. Both are things you can target. Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug