Hi forum members,
Encouraged by ReVaN I fired up F-prot dos-scanner from my Mem Stick, and did a thorough deep scan. It came up with a browser archive file in WINDOWS\APPLIC~1\MOZILLA\FLOCK\PROFILES\84SXAZ~1.DEF CACHE\XXXXXX~1 as suspicious. The file was encrypted and I fed it to Jotti.de to no avail: results nothing detected on all scanners, results green ergo OK. But fed and uploaded to VIRUSTOTAL I got following results F-prot of 01.07.2006 “could be an archive bomb”, McAfee 4559 of 01-06-2006 came up with “potentially unwanted program Pwdump”, this is a legit password dump file from LOPHT, that can be used for legit or malicious purposes as well. Ikarus 02.590 of 01.05.2006 came up with “implausibility archiv”.
I know McAfee does not under normal condition find this, the scanner must be set specially to get results on legit “exploits”, so it ignores logic bombs, archive bombs by default.
Are these things only found up by heuristic scanning. I know there is always the possibility of a FP, but it is a file one can live without. What is the best policy to follow on such a find?
I am open to debate. There are cases that admins that fear lay-off sometimes plant logical bombs to wreak havoc on intellectual property, and later it could only be resconstructed through third parties, because there were no back-ups. This off-course is a worst scenario, but it shows that logical bombs must be traced. On logical bomb audits read: http://www.yourwindow.to/information-security/gl_logicbomb.htm
polonus