Rich Freeman on 5 Oct 2012 14:27:29 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Detecting SQL injection viruses

On Fri, Oct 5, 2012 at 4:20 PM, Eric H. Johnson <> wrote:
> What I recall reading about this is that they work by downloading an
> encrypted payload with a random key, which defeats pattern matching. The key
> is relatively short, so it has to guess keys until it gets it, at which
> point it can then infect the machine.

Sounds like a standard stealth virus, except that it has to guess the
key.  The solution is what is normally done - don't target the
payload, target the decryption routine.  Polymorphism no doubt hinders
this, but somebody will eventually figure out how to pick it up.

So, is this just an executable that people are running?  Either people
are running an executable, or some local app has a vulnerability.
Both are things you can target.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --