Worm sleeps to avoid detection

Subject: Worm sleeps to avoid detection
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Tue, 13 Jul 2004 10:59:51 -0400
Content-Type: multipart/alternative; boundary="=====================_94315328==.ALT"

re: http://zdnet.com.com/2100-1105-5267258.html

"The latest mass-mailing worm, Atak, hides by going to sleep when it suspects that antivirus software is trying to detect it."

"It is standard for worms to have layers of encryption--or armoring--to keep out snoopers, but this goes way beyond that. It tries actively to detect if it is being analyzed by antivirus research tools. If it thinks it is being analyzed, it stops running and shuts down," Hypponen said."

"Atak is not thought to be a serious threat. But because of recent detection and in-built protection, the worm's full functionality has not yet been fully analyzed. However, it is known that the worm contains text that seems to threaten other well-known worms and viruses, such as MyDoom, Bagle and Netsky."

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Security software vulnerabilities: A unique and growing threat
Next by Date: Chinese hackers advertise made-to-order virus service
Prev by thread: Chinese hackers advertise made-to-order virus service
Next by thread: Security software vulnerabilities: A unique and growing threat

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov