Wednesday, September 15, 2010

are companion infectors contrived?

while reading a recent threatpost article i was rather taken aback by the following quote:

However, one security researcher said that the vectors for using EXE files in this kind of attack are unlikely to be seen in the real world. HD Moore, CSO of Rapid7 and founder of the Metasploit Project, said that he'd seen some cases of other file types being vulnerable to this kind of attack, but didn't think widespread exploitation was likely.
"Most of the EXE cases are contrived vectors, not realistic for exploits," he said.
i suppose path precedence companion viruses must be contrived then. but if that's so then mr. moore must be using a meaning of contrived that i'm not familiar with, because not only did they work reasonably well in their day, but they still operate quite well even now.

to be clear, and to avoid hyping the issue, i should point out that they aren't much of an issue for users of windows explorer. the way explorer works and the way it's used doesn't necessarily lend itself to this attack. but if you use the command line or happen to write and/or use scripts then planting *.EXE binaries can most definitely still pose a security problem - and there are still users in that group, many of them IT or infosec professionals. i would hope that such people would have an awareness of such a threat, but i've seen increasing evidence that people (even security folks) just don't get viruses in general (even after over 1/4 of a century) much less an obscure, ancient kind like this.