Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Old Malware Tricks Still Defeat Most AV Scanners

ScuttleMonkey posted more than 5 years ago | from the losing-the-arms-race dept.

Security 122

SkiifGeek writes "A year ago Didier Stevens discovered that padding IE malware with 0x00 bytes would happily slip past most of the scanners in use at VirusTotal.com. Revisiting his earlier discovery, Didier found that detection on his initial samples had improved, but not by much. For all the talk of AV companies moving away from signature based detection to heuristics, it is painfully obvious that not many of the tested engines can successfully handle such a simple and well known obfuscation method and the best of those that can detect the obfuscation can only detect it as a generic malware type. At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant."

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

Fir0x00st! (5, Funny)

fph il quozientatore (971015) | more than 5 years ago | (#25677111)

Fir0x00st!

This just in... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25677423)

... Michele Obama is a MAN!!!

Re:Fir0x00st! (0, Offtopic)

Enderandrew (866215) | more than 5 years ago | (#25678237)

That is the first time I actually enjoyed a "first" post. I guess there is a "first" time for everything.

Re:Fir0x00st! (4, Funny)

Zencyde (850968) | more than 5 years ago | (#25681217)

Strangely, the 0x00 exploit even works on Slashdot... you've somehow gotten a "first post" to +5 Funny. If that's not hacker-worthy, I don't know what is.

Re:Fir0x00st! (0)

Anonymous Coward | more than 5 years ago | (#25682741)

Thanks for making the joke less funny by exposing it.

Re:Fir0x00st! (1)

jgtg32a (1173373) | more than 5 years ago | (#25681249)

Please tell me that /. has a filter for the "first" comment.

Padding with 0x00 bytes? (5, Funny)

glindsey (73730) | more than 5 years ago | (#25677115)

So padding it with nothing makes it undetectable? I never thought of that!

Re:Padding with 0x00 bytes? (1)

sshuber (1274006) | more than 5 years ago | (#25677127)

Security through obscurity.

Re:Padding with 0x00 bytes? (3, Insightful)

corsec67 (627446) | more than 5 years ago | (#25677209)

Since this is viruses evading detection, wouldn't this be "Insecurity through obscurity"?

Re:Padding with 0x00 bytes? (1)

jopsen (885607) | more than 5 years ago | (#25677791)

I think maybe parent i trying to imply that anti virus systems only provides security through obscurity.

Re:Padding with 0x00 bytes? (4, Interesting)

mrops (927562) | more than 5 years ago | (#25678439)

Man, Let me tell you, Viruses have evolved. Really evolved. I don't run a anti-virus at home, don't like them.

In a moment of weekness I started watching a downloaded version of stargate, missed it on friday :( the WMV movie asked for a "codec" to be installed, guess what... (I know I should have know better)

Its been 4 weeks and I am still struggling with this virus. Most virus scanners detect this beast, however in my last 4 weeks, none can properly clean it. This has become somewhat of a challenge.

I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders.

Yesterday, I discovered, the crappy thing downloads and installs stuff off the internet.

Fortunately I have all data backed up.

I can re-install my XP anytime, but this has become too challanging to let go.

Here is a kicker, I tried infecting a qemu emulated XP VM, guess what, there is a newer version of the virus, somewhat different than 4 weeks ago. The new codec that downloaded wasn't the same that got downloaded to my machine.

So it seems these virus/trojan developers are well funded and doing this as a day job. Hoping this trojan shares some mp3s so RIAA can go after them, they seem to be more effective than FBI in tracking this kind of a thing.

Here to some good news, my dad's Vista PC is immune to this virus, so Microsoft may have done something right, or maybe the virus/trojan developers are not targeting Vista.

Re:Padding with 0x00 bytes? (2, Informative)

Schadrach (1042952) | more than 5 years ago | (#25678485)

Virtumundo?

Re:Padding with 0x00 bytes? (3, Informative)

Tony Hoyle (11698) | more than 5 years ago | (#25678729)

If it's the one I saw the driver even gets loaded in safe mode.

You have to boot onto a rescue DVD and find the driver file, delete that and it'll stop the driver loading. Then boot into safe mode (if you boot into normal mode the user mode code will reinstall the driver) and find every copy of the executable and nuke it.

If you miss one it's back to square one.

Personally I'd just reinstall...

Re:Padding with 0x00 bytes? (4, Insightful)

ion.simon.c (1183967) | more than 5 years ago | (#25678883)

K. Start using Mplayer [1] and VLC [2] NOW. They ignore the executable parts of MSFT's multimedia formats.

[1] Grab the "Windows GUI" and the "Windows X86 codec package" from here: http://www.mplayerhq.hu/design7/dload.html [mplayerhq.hu]
[2] http://www.videolan.org/vlc/ [videolan.org]

Re:Padding with 0x00 bytes? (0)

Anonymous Coward | more than 5 years ago | (#25681541)

Mod up! This gets a '3' and the Braindead OP gets 5? C'mon, this is /.

Re:Padding with 0x00 bytes? (2, Informative)

JCSoRocks (1142053) | more than 5 years ago | (#25681983)

I've tried VLC recently but I couldn't even get it to play the audio track on a .MOV file... I dropped it shortly after that. Is MPlayer any better? I remember using it long ago but I stopped bothering to install it every time I rebuilt.

Re:Padding with 0x00 bytes? (0)

Anonymous Coward | more than 5 years ago | (#25683001)

Posting anon so's not to nuke mod points I've awarded.

VLC is not as good at handling .mov as other formats for some reason. If you have a lot of them, Quicktime Alternative [free-codecs.com] is worth a shot. Otherwise VLC seems to handle pretty much everything I have thrown at it, usually using less system resources than Windows Media Player or such like. For some reason, though, it disables DVD deinterlacing by default, which si never what's wanted unless you have a progressing scan DVD - not even sure if these exist. It's a second's work to enable it, but I often come in to find my kids watching video marred by irritating horizontal lines.

Re:Padding with 0x00 bytes? (1)

lysergic.acid (845423) | more than 5 years ago | (#25683181)

personally, i use BS.Player PRO (there's also a free version), which loads quite fast, has a very small memory footprint, and also has some nice looking skins. it plays .avi, .wmv, and .mkv, and most .mov files i've encountered.

i also have VLC player installed, which i use to open .mov files that BS.Player won't play for whatever reasons, but the interface is kinda crappy; it opens two player windows; and it crashes whenever i try to close the inactive player window or just the whole program. maybe i have an old version, but it just doesn't seem very stable or as polished as BS.Player.

i rarely ever use WMP except when i need to open a second player while BS.Player is already open (in the middle of a movie that i don't want to lose my spot in).

Re:Padding with 0x00 bytes? (1)

ion.simon.c (1183967) | more than 5 years ago | (#25683183)

Short answer:
I don't know if Mplayer will play that audio track on the QuickTime video in question. I've not had trouble with the QT movie files that I've run into. However, QuickTime is always a little iffy on OSS video players. It seems that there's always some new version out in the wild.

Details:
I've installed the complete codec packages with every mplayer install that I have. [1]
(I'm not gonna link to them here. I bet that you can suss out the link from the mplayer download page.)
I've had trouble with no QuickTime videos that I've randomly run across on the Web. [2] I've had nothing but trouble with QuickTime VR files. They usually play every frame contained within at a very high speed. Navigation of the scene is impossible.

[1] Please keep a local copy of the codecs package. The mplayer folks say that the vast bulk of their traffic comes from folks downloading the codecs packages. It'd be nice to save them a buck or two. ;)
[2] I don't usually *seek out* QT videos, so your failure rate may be higher.

Re:Padding with 0x00 bytes? (3, Informative)

Mister Whirly (964219) | more than 5 years ago | (#25679193)

"I don't run a anti-virus at home, don't like them.

I am not overly fond of most AV software either, but I like an infected machine even less.

Re:Padding with 0x00 bytes? (1)

jgtg32a (1173373) | more than 5 years ago | (#25681273)

DD is your friend

Re:Padding with 0x00 bytes? (1)

sponga (739683) | more than 5 years ago | (#25679409)

Yah I don't have to run A-squared anti virus, spybot S&D, Ad-aware or any of the other stuff that I used to have to run with XP.

I don't understand why they wouldn't want to attack Vista?
For now it is a huge leap from XP in security, but eventually things get exploited and it is only a matter of time. Although with Vista I think we can avoid those drive by downloads a lot more and it will come down to once again the user clicking 'Yes/Allow' which will be the kicker. Some of the worst ones are the cracks for programs.

Even than viruses that have wreaked havoc on my XP machines have done nothing but been denied on the Vista machine.

Kind of relieving since it was almost a annoying habit of having to worry where I tip toe on the internet and the annoying habit of constantly having to run my anti-spyware. Almost an addiction having to run those programs or maybe every time after you ran it, it just made you more paranoid.

That is to teach people (1)

marcosdumay (620877) | more than 5 years ago | (#25679899)

Windows makes a bad media player. Linux is way better for handling multimedia files (if your country doesn't make it illegal, of course).

RECOVERY CONSOLE COMMAND DISABLE STOP DRIVER (3, Informative)

Anonymous Coward | more than 5 years ago | (#25681261)

"I have discovered so far, that
- it is installed as windows driver,
- this driver gets notified at winlogon
- the driver creates a exe
- the exe executes and stays in memory
- the virus driver file then mutates and goes elsewhere, again to come back at the next logon, this mutation is what virus scanners can't work with.
- Spreads via Windows networking to other computers on the network, this however only if the other computers have any shared writable folders.
- by mrops (927562) on Friday November 07, @01:40PM (#25678439)

Install RECOVERY CONSOLE as a bootup option

(Its installer alters boot.ini for this as it installs & it adds a bootup menu choice/option for using it once you reboot after installation of it)

To install it, that is done from your OS installation media's I386 Folder, via the commandline ->

winnt32.exe /cmdcons

Once it is in place?

You can issue the LISTSVC command there, & it will show this trojan/virus' name once you scan the list of drivers &/or services it presents (look carefully, & odds are, you will see it there).

Then, you would use the DISABLE command on it (that stops both services, AND, DRIVERS too) - ENABLE is the opposite command, just so you know (&, in case you make a mistake here).

APK

P.S.=> The Windows Networking you mention? I am going to assume File & Print sharing via LanManager networking... & IF you don't use a home LAN (or, connect into a work LAN/WAN, remotely from this infected system)? You can actually REMOVE it a couple ways (easiest ones are stopping the SERVER service via services.msc & setting its startup type to DISABLED (server provides file & print sharing is why) OR, just go to your LOCAL AREA CONNECTION, & uncheck (if not totally remove) "File and Print Sharing" and "Client for Microsoft Networks" there (because all you REALLY NEED to be online, is Tcp/IP)... this will not only help secure you, & stall this machination on your system, BUT, it will also give you back CPU cycles, memory, & other forms of I/O too, because you will be cutting off things you may have running that you do NOT really need to be... IF you are not part of a LAN/WAN, that is... apk

The WinLogon section: Stop the 'phalanx' driver! (2, Informative)

Anonymous Coward | more than 5 years ago | (#25683311)

In addition to what I posted originally here (thanks for the "modded up" status too, whoever did so):

http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261 [slashdot.org]

?

To access & stop the "backup" of this trojan's driver, since it apparently is using a form of "phalanx-like" backup of itself & its constituent part? Well, go here, using REGEDIT.EXE, once you reboot (after using RECOVERY CONSOLE's LISTSVC, + DISABLE comamnds to stall the driver itself) because this 'backup' portion you're seeing @ WinLogon MAY undo what you did, in deactivating the trojan's driver portion:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

And, in the right-hand side pane of REGEDIT.EXE? Look for the SHELL line (should ONLY have Explorer.exe in it) - odds are, that's the part that's controlling this 2nd part you noted, that notifies the trojan's driver portion!

Good luck!

APK

P.S.=> IF this thing's 2nd 'backup' portion isn't there, in the WINLOGON section you mentioned?

Then, examining ALL other startup areas (prior to the explorer.exe shell logon by you), to find its other part...

MSCONFIG.EXE is decent for this!

Autoruns (sysinternals/MS) is also...

OR

Startup CPL (Mike Lin)

Are ALL/EACH good candidates for the job...

(If not digging for those sections via REGEDIT.EXE (You'll need a list of startup areas Window has though, & it's MUCH MORE MANUAL than the other tools I noted/listed, a downside of doing it manually really vs. using automators such as the progs I just listed))... apk

Re:Padding with 0x00 bytes? (1)

gravis777 (123605) | more than 5 years ago | (#25681351)

I had a Virtumondo virus that did the same thing. I wrote up procedures for removing this. Maybe this will help:

So I attemped a manual removal of the virus yesterday, and succeded. However, the process was so messy and time consuming, it probably would have taken less time to reimage. First thing is to go in and manually delete the trash files. Look in the program files directory. The one I noticed yesterday was called GameVance, which advertises itself as a free online gaming site. You can simplify this matter by searching by Date Modified. On the machine I was working on yesterday, GameVance was installed on Auguest 10th, so this gave me something to look for. I first logged into the users computer and uninstalled GameVance. This took care of the rogue program, now I had to take care of the virus.

Reboot. BACKDOOR into the machine. The reason for this is at the virus is attached to exlorer, it will keep you from removing the files if you are on that machine. So, we are backdoored, so firs thing is to double check the Program files Directory and remove any remains that linger. Then go into both the users profile directory and the all users, and look under Application Data and Local Settings for anything weird. I found somthing floating in c:\documents and settings\bdennix\Application Data - there was a directory in there of a ton of strange characters. I deleted this.

Go into the Windows directory, and sort by date. I had to edit the winnt.ini file, as it was calling the virus in this file. I would definately check your INI files - anything recently modified. You will then go into the System32 directory, and sort by date. You should see several files with random characters, all generated on or around the same date. Anything newer than that means that something has tried to clean up the files and the files have been recreated. Delete everything you can. Make notes of file names you cannot remove.

Launch regedit. HKey_Local_machine\software\microsoft (if i remember right), and look in the windows and the windowsnt keys. You are looking for Browser Helper Objects, Explorer, and Winlogon. I saw nothing unusual in Explorer, but there was a lot of stuff in browser helper objects and Winlogon. Unfortunately, legitimate files also have very undescriptive key names, and are usually randomly generated characters, so its impossible to distinguish between what is good and what is bad. Go ahead and delete all the keys. This WILL screw up windows, but we will fix that in a bit. Note that after you reboot, Windows will NOT come back up as the Winlogon is now hosed.

Boot off of a Windows XP disc, and go into repair console. Delete all the remaining rougue files in the system32 directory.

You will now need to do a repair install of Windows. This takes quite a while to do.

When done, Windows should boot back up and let you log back in. Login (preferably as an administrator), run MSConfig, and make sure that nothing got rewritten to the startup files. If it is, its okay because the files are gone, it will just throw up error messages saying that files are missing.

Restore the users wallpaper. Update Internet Explorer to 7. Update Java. If they use Firefox, update to newest version of Firefox. Turn on automatic updates. Run CCleaner to clean up remaining registry keys that may remain. Install Service Pack 3.

This sucessfully got rid of the virus for me, however, this was so tedious and took so long, it would have been much easier to just reimage her.

Re:Padding with 0x00 bytes? (4, Insightful)

PitaBred (632671) | more than 5 years ago | (#25681585)

Might be time to start running your machine as a non-admin user. I'd be willing to bet that's what the difference between your Dad's Vista PC and yours is.

Re:Padding with 0x00 bytes? (2, Interesting)

rebootconrad (836537) | more than 5 years ago | (#25678085)

You know, posting it to virus total just runs it through a static file scanner. Most IE exploits are caught when they attempt to install - you can obfuscate the static code, but you can't obfuscate the call to the system API. VirusTotal is a useful resource, but it doesn't really show anything when it comes to live threats.

Re:Padding with 0x00 bytes? (2, Funny)

floorpirate (696768) | more than 5 years ago | (#25678503)

If someone ever figures out how to translate 0x00 bytes into something that can affect human senses, they'll have developed the Somebody Else's Problem field!

Re:Padding with 0x00 bytes? (1)

Tony Hoyle (11698) | more than 5 years ago | (#25678767)

It's the equivalent of Clark Kent taking off his glasses so that nobody recognizes who he is when he's flying around in spandex.

Re:Padding with 0x00 bytes? (2, Funny)

Zencyde (850968) | more than 5 years ago | (#25681283)

Wow.. that analogy made sense. I propose Slashdot move from car analogies to Superman analogies. All in favor?

Aye (1)

furbearntrout (1036146) | more than 5 years ago | (#25681855)

In the interest of _not_ getting modded off-topic, this probably should be submitted as a poll.

uh oh (4, Funny)

gEvil (beta) (945888) | more than 5 years ago | (#25677137)

At least the scanning engines that can detect the presence of malware with the obfuscation aren't trying to claim each differential as a new variant.

Don't give the guys in marketing any ideas. "New and Improved! FoobarAV now detects an infinite number of viruses! Compare that with Norton's piddly 30,000."

Re:uh oh (4, Interesting)

noundi (1044080) | more than 5 years ago | (#25677287)

Your post gave me a thought. How come no AV markets their software using relativity? I mean what use does the average user have for a software that detects a decade old piece of malicous code, that most likely doesn't even work anymore? Perhaps it's time that they market their software with fixes for current problems, not brag about their huge bank of outdated viruses. That creates nothing but a bloated AV, which in the end will most likely hog your system more than it should.

Re:uh oh (4, Funny)

sexconker (1179573) | more than 5 years ago | (#25677347)

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Re:uh oh (4, Funny)

zappepcs (820751) | more than 5 years ago | (#25677425)

Pardon me young man. You do work here, don't you?

Well, yes, you can help me. I was just wondering if you can explain the differences between the Value-add Anti-Rootkit Pro module and the Value-add Anti-Rootkit Amateur module.

You see, my wife doesn't think I should be messing with anything for professionals, so I need to know the differences.

Re:uh oh (3, Informative)

Anonymous Coward | more than 5 years ago | (#25678457)

Detects 70%* of viruses, 60%** of malware, 20% of trojans***, and 1% of rootkits****!

*Includes false positives
**Includes tracking cookies
***Any generic threat found is counted as a virus and a trojan
****Removal of rootkits is not supported in AV Total Security Home 2008 + Firewall. To remove rootkits, you must purchase the value-add Anti-Rootkit Pro module.

Just had a virus hit at work.
Symantec 'detected' it but didnt stop it at all, within minutes we had ~60 computers infected.

Thank god the other 1200 computers we have where running linux.

Re:uh oh (1)

sexconker (1179573) | more than 5 years ago | (#25678571)

You think that's bad? I had a machine here running Symantec Endpoint 11 detect some sort of worm via the auto-protect bullshit.

It gave two notifications:
It found it, and failed to fix it.
It found it, and fixed it.
Ok, sure, it tried to clean it couldn't, then decided to just delete it. Fine.

So I run a full scan just to make sure it's gone. Nothing shows up in the scan. Great. But during the scan the auto protect popped up with the same notifications.

Anti virus software is pretty much the worst thing you can install on your system.

Re:uh oh (1)

Mister Whirly (964219) | more than 5 years ago | (#25679237)

"Anti virus software is pretty much the worst thing you can install on your system.

Next to an actual virus....

Re:uh oh (2, Funny)

jgtg32a (1173373) | more than 5 years ago | (#25681315)

Not so much anymore most virus's these days just want to leach your bandwidth and DOS someone else, there is less of a performance loss when compared to most AV software

Re:uh oh (1)

JCSoRocks (1142053) | more than 5 years ago | (#25682079)

Until you get a ton of them on your machine and starting IE (of course they're starting IE, FF users don't have these problems!) takes 10 minutes.

Re:uh oh (0)

Anonymous Coward | more than 5 years ago | (#25679881)

this is not disturbing. perhaps while you were scanning, you were also reading email or browsing the web. you hit an email or web page that had something bad. your scan would not detect that if auto-protect caught it before it had a chance to grow on your hard drive. or perhaps you were being actively attacked through your network.

anti-virus is great. it's not perfect and never will be. 'anti-virus is worthless'...that's exactly what the malware writers want you to think. because of this attitude, they probably already have all Mac OS X computers in the world in their bot-net because of this attitude. they are just waiting for everyone to switch before they turn them on.

Re:uh oh (1)

Thaelon (250687) | more than 5 years ago | (#25678549)

You're not taking if far enough.

All virus scanners are band aids for design flaws in the Windows* that allow the things in the first place - such as running as an admin. And they're all imperfect at best since none of them can stop 0 day attacks. Which is when you need them to work the most.

Think about that for a second. The time when you're most vulnerable is precisely the same time when your virus scanner is least effective.

It's ok, you can uninstall all the "always running" components now, never look back. Sure you can still run periodic scans to make sure.

After over a decade of windows usage I've learned to work around most of its shortcomings. You can do these few things and remain relatively safe:

  • run questionable software as a user that only has read privileges to the directory the executable is in - and no other permissions of any kind, anywhere
  • only, ever use your own bookmarks to get to sites with financial or other important info like your bank or paypal, regardless of the convenience of links sent via email
  • don't use Internet Explorer
  • don't use Outlook Express

If you these few things, and are cautious with anything downloaded or executed, you don't really need a virus scanner.

*Come on, is there even a market for commercial non-Windows virus scanners?

Relativity? Hmmm. (1)

jd (1658) | more than 5 years ago | (#25679507)

"Our anti-virus kit moves over files so quickly, the virus shrinks to zero length and has infinite mass!"
"The new herustic bends space-time, causing malware to fall off the edge!"
"AVSoft's new scanner sends you backwards in time, so you were never infected in the first place!"

Re:uh oh (1)

EchaniDrgn (1039374) | more than 5 years ago | (#25680909)

Whereas I agree that some sort of relevance in advertising would be nice, as to how up to date their latest improvements are, I do think it's a good selling point to state that you can handle previous viruses as well. If an anti-virus software can't handle a virus from 10 years ago then it's like a parent that doesn't get their kid vaccinated for measles because they haven't had a big outbreak recently. It just takes one instance of the virus to totally wreck your day.

Just my two cents.

Re:uh oh (5, Insightful)

mewshi_nya (1394329) | more than 5 years ago | (#25677293)

and both foobar and norton will suck. It's not the numbers it *can* detect, it's about how *well* it detects them and how little resources it takes.

I blame... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25677141)

...the Jews. They've been padding their noses with 0x00 for years now, and it has enabled them to walk among us as if they were normal, God-fearing Christians as they should be.

I still shudder at the scent of lox and gefilte...

I've got bad news for you... (0)

Anonymous Coward | more than 5 years ago | (#25679007)

I still shudder at the scent of lox and gefilte...

Then read this! [barackobama.com]

What they lied about using heuristics? NEVER! (3, Interesting)

topham (32406) | more than 5 years ago | (#25677261)

Considering the arguments I got in between the word 'Signatures' and 'Heuristics' when it came to anti-virus I'm not surprised.
They think heuristics are BLAH.*BLAH instead of BLAH...BLAH.

And even then, they don't get it right.

Re:What they lied about using heuristics? NEVER! (1)

TheLink (130905) | more than 5 years ago | (#25679775)

Actually I'm glad that the malware people are focusing their attention on Windows.

Imagine what the malware people would be able to do with stuff like perl. Polymorphic? No problem, heck it might even be able to use search engines to look for "updates" and check to see if the update code runs OK.

Perl is installed by default on popular Linux distros, and some BSD - so it can be cross platform.

If you had millions of the typical windows users using Ubuntu, there'll be a lot more zombies and they'd be really capable.

A fair number of windows users have proven that they will enter a password in an email to decrypt an attached encrypted zipfile and then run the malware in it...

So guess how hard it will be to get them to run a perl script as root - either via sudo or other means.

Linux, OSX etc is not significantly safer than Windows from a tech security POV.

Re:What they lied about using heuristics? NEVER! (1)

kv9 (697238) | more than 5 years ago | (#25681007)

If you had millions of the typical windows users using Ubuntu [...]

if? I thought that's a given.

Of course they do ... (1, Insightful)

Eros (6631) | more than 5 years ago | (#25677339)

Of course they still fool AV scanners. If they didn't how would they be able to sell you a malware scanner on top of your AV scanner?

It's worse than we suspected... (1, Informative)

rickb928 (945187) | more than 5 years ago | (#25677363)

...and this [xkcd.com] pretty much says it all. Even for Windows.

We are in serious trouble, and have been for a while now. And nowhere to migrate to.

Re:It's worse than we suspected... (0)

Anonymous Coward | more than 5 years ago | (#25678173)

Seriously? Why would you link straight to the image? Here is the proper link to the comic [xkcd.com] in question (which includes title text).

Applied AI (2, Interesting)

khellendros1984 (792761) | more than 5 years ago | (#25677379)

It seems like this is exactly the sort of place where AI could be useful...disassemble some binary data, figure out what it does, and use *that* as a sort of signature. The behavior of the program is the thing that causes a problem, anyhow.

Re:Applied AI (3, Informative)

Anonymous Coward | more than 5 years ago | (#25677493)

http://en.wikipedia.org/wiki/Halting_problem

Re:Applied AI (1)

JustinOpinion (1246824) | more than 5 years ago | (#25679019)

What does the halting problem have to do with this?

The halting problem might be relevant if you absolutely needed a provably (in the mathematical sense) perfect analysis of the algorithm that a binary implements. But any practical implementation of mawlare detection wouldn't need to be perfect: it would just have to disassemble the binary and pull out algorithmic motifs, and check these against a database (where the motif "loop over values and store to single file" is okay but "loop over all files on disk and insert code into each one" is not okay).

Bringing up the halting problem is basically saying "there are theoretical reasons why you cannot build a perfect algorithm classifier... so why bother trying?" We don't need perfect. We just need useful.

Re:Applied AI (0)

Anonymous Coward | more than 5 years ago | (#25679873)

That's easy to get around if you're willing to accept a few false positives: just make the policy default-deny. You can't always prove that a given program is safe or malicious, so only allow programs you can demonstrate to be safe. If you're not sure, assume it's malicious unless explicitly directed otherwise.

Credit Card Companies (4, Insightful)

MozeeToby (1163751) | more than 5 years ago | (#25677437)

You know how you charge something, sign for it and no one looks at or cares about the signiture. There's a reason for that. Credit Card companies have figured out that verifying identity is impossible. Instead they try to verify by transaction by looking at the recent pattern of purchases for signs of theft.

Instead of trying to identify incoming virusses, they should be focusing on removal tools and monitoring. Watch the processes for unnusual behavior and flag the user if something is detected, then actually get rid of the virus if the user agrees with the analysis. Granted, unusual behavior is a pretty vaguely defined concept, but that seems a lot more adaptable to new threats than the current methods.

Re:Credit Card Companies (4, Insightful)

compro01 (777531) | more than 5 years ago | (#25677523)

Problem being, with lots of machines, they become infected on such a regular basis that your "unusual behaviour" is common enough that it becomes usual behaviour!

Re:Credit Card Companies (4, Interesting)

peragrin (659227) | more than 5 years ago | (#25677587)

while you are correct, the problem lies with the OS that needs the most AV support. Windows itself acts like a virus to change memory locations when certian apps are run. Thisis to ensure compatibility. With Vista msft has been trying to change such behaviour, but it took 6years for msft to notice the problem and at least until win7 until things start working better. Linux and OSX don't suffer from such things as badly as they depracrate old buggy features ona regular basis.

Re:Credit Card Companies (0)

Anonymous Coward | more than 5 years ago | (#25678459)

Vista is the first version of windows to randomise the address space of loaded libraries, XP and below all have them in the same place between boots.

Re:Credit Card Companies (1)

ion.simon.c (1183967) | more than 5 years ago | (#25679939)

And *nix and BSD have been doing this for *ages*. : D

Re:Credit Card Companies (4, Insightful)

geckipede (1261408) | more than 5 years ago | (#25677663)

Unfortunately all that monitoring software can do is make a guess and then ask the user whether something should be allowed. The click-happy average user is even easier to fool than software. There's no way around it, if you want complete confidence in the security of your system, you have to understand what everything running on it should or should not be doing. A security product based on whitelists of known software would be interesting and probably quite effective, but I suspect not very popular.

Re:Credit Card Companies (2, Interesting)

Ranzear (1082021) | more than 5 years ago | (#25678319)

I so much more enjoy Antivir's almost purely-background scanning. Every detection I get on a machine I install it on is upon is upon access, and it's even capable of detecting within compressed file formats as soon as you open them. Theres no need for a piece-by-piece thorough scan of every piece of code and every file on the harddrive, and thats even becoming prohibitive anymore. Its no longer a matter of looking at what a file is or contains, but at what it -does-. A process that reads memory from other processes, opens a high port number, and attempts to send out packets should raise immediate red-flags, yet could contain enough junk between the functional bits to disguise itself as a 3D-rendering program. My favorite notion about Norton's product is that its very, VERY secure - particularly because it eliminates the user being able to perform almost any task on the machine. Its almost the predecessor of UAC, and falls into a category I dub 'Security through Dysfunction'. Stopping to check every process running on a machine is about as effective as stopping every vehicle at the border and asking if they have bombs or weapons or... okay bad analogy.

Re:Credit Card Companies (4, Interesting)

nabsltd (1313397) | more than 5 years ago | (#25678431)

The thing about anti-virus software is that is stupidly tries not to be intrusive. AV software could be pretty much 100% effective with a few tiny changes, but those changes will make it more visible and annoying.

  1. At install, the AV software adds a "run at reboot" entry that runs in the PE boot time, before most (but not all) other processes get a chance to run and does a full system scan at that point. You don't get to continue the install until you agree to this reboot.
  2. After the scan, the AV software (still in the PE environment) picks a few select directories (like "C:\Windows" and "C:\Program Files") and creates checksums of all files in those directories (or subdirectories).
  3. When the re-boot finishes and the install completes, the user is given the option to add other directories to the "safe" list, and file checksums in those directories are computed.
  4. After this, the AV software will not allow a file on disk to be run as an executable unless it is in one of the "safe" directories and the checksum exists and has not changed.
  5. Any other attempt to execute a file results in a full scan of the file using the virus signatures, and the user is then given a warning about running non-trusted executable and analysis of the scan.
  6. The AV software will provide a way to manually update the "safe" directories, so that after you install software you can run it, but there should be no way to automate it.
  7. As an option, the AV software blocks write access to every executable file in the "safe" directories.

This won't protect against scripting language malware and exploits of ActiveX (or other in-process DLL code), but it will tend to stop what they can do in the long run. Exploit code can create an executable in some directory, but it won't be able to be run without a warning, even if that code contains no known virus.

Re:Credit Card Companies (1)

UncleTogie (1004853) | more than 5 years ago | (#25681065)

Any other attempt to execute a file results in a full scan of the file using the virus signatures, and the user is then given a warning about running non-trusted executable and analysis of the scan.

Would any system file updates from {insert OS company here} automatically be added to the checksum list, or would this need to be done manually? Could the update process itself be exploited if the former applies?

Re:Credit Card Companies (1)

sootman (158191) | more than 5 years ago | (#25679299)

Getting a bit OT here, but signatures aren't so much a proof of identity anymore as they are proof of consciously committing fraud. It's one thing for a crook with a stolen card to say "Huh, I thought it was mine, I've got another card that looks just like it, I must have found that one on the floor, forgot about it, and accidentally used it." It's another thing to tell that same story with "and then I must've accidentally signed someone else's name, too" at the end.

On a related note, I've got a friend that everyone knows as (something like) Bob Smith, but his legal name, and what he signs, is Robert Smith III. Someone filled out some paperwork and signed "Bob Smith" so in this case it was in fact one more piece of evidence that he wasn't the one who signed it.

Re:Credit Card Companies (1)

mkraft (200694) | more than 5 years ago | (#25679917)

And then you end up with something like Vista's UAC which is universally hated.

Re:Credit Card Companies (1)

compro01 (777531) | more than 5 years ago | (#25682175)

UAC is a perfectly fine idea. Linux/Unix have been doing much the same with sudo (+its various GUI wrappers) for years. UAC is just a lousy implementation, which can (hopefully) be rectified.

IDW (2, Funny)

Anonymous Coward | more than 5 years ago | (#25677467)

This is the dirty secret of desktop / on-access antivirus scanners; they don't work.

F.D., I work in the industry, and the sole exception from this rule is my own employer's product, xxxxxxxxxxxx, of course.

so what? (3, Insightful)

Cajun Hell (725246) | more than 5 years ago | (#25677609)

If your scanner doesn't say program X is malware, does that mean you should run program X?

Of course not. Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

Re:so what? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25677693)

Quit downloading and running random programs, and your results will be the same whether scanners work, don't work, or you don't have one at all.

So your advising that everyone disable javascript, flash, etc in their browsers?

Re: of course (0)

Anonymous Coward | more than 5 years ago | (#25678063)

Absofriggenlutely.

Adblock, noscript, firefox.
I ran Spybot S&D yesterday (first time in several months) and it came up completely empty.

Any site that requires javascript for navigation is broken.

spybot (1)

Smivs (1197859) | more than 5 years ago | (#25678677)

I run spybot around twice a week and mine hsn't found anything for months, except my 'Registryfix' which it thinks is malware...strange.

Re: of course (1)

PitaBred (632671) | more than 5 years ago | (#25681703)

Any site that requires javascript for navigation is broken.

How's 1995 treating you? Animated GIF's still everywhere?

I have no problem with a sitemap, something more compatible with screen readers, but seriously... JavaScript exists, and is quite good at making websites and web apps interactive. That's what it's for. Denying reality is pointless, and even though you claim that any site that requires Javascript as broken, that doesn't make it so. Google Maps, gmail, many other sites that are very useful all require JavaScript, for a very good reason.

Re: of course (1)

turing_m (1030530) | more than 5 years ago | (#25683379)

How's 1995 treating you? Animated GIF's still everywhere?

Do you understand what Noscript actually does? It allows you to very easily whitelist which sites you trust to run javascript/flash. After about a week of enabling sites you frequent (e.g. banking, google maps etc), there is very little upkeep involved, while preventing sundry sites you google from executing code. The effort compared to a full reinstall every 6 months is minuscule, which is why Noscript is so popular.

As the practice of disabling javascript by default becomes more popular, companies should ask themselves whether they really need javascript or flash for what they do. If they are in the position of an 800lbs gorilla (e.g. bank, ebay, amazon, google etc), then they can use javascript for whatever they want. But a lot of smaller companies probably lose some sales because they use javascript where it is not necessary, e.g. in conveying basic product information and price.

Re: of course (2, Interesting)

Keeper Of Keys (928206) | more than 5 years ago | (#25683399)

I am a web developer, quite proficient in javascript, and agree with the GP. No site should *require* js for navigation. There are established ways to mark up your menus, no matter how complex they may be, so that they may be navigated with js turned off while perhaps having enhanced usability or attractiveness for those who allow it to run. This is absolutely essential in the modern web: your most important visitor, the googlebot, doesn't run javascript - and obviously you want it to be able to follow links on your site.

Re:so what? (1)

JCSoRocks (1142053) | more than 5 years ago | (#25682249)

I agree. I've been running a Vista box for ever a year now with no AV and no problems. Why not? I dunno, maybe because I never install anything I'm not familiar with. I only browse with FF. I only use webmail accounts so e-mail viruses aren't an issue. I don't download random garbage from torrents and then act all shocked when it turns out to have a virus. Keeping your PC clean is relatively easy if you just avoid the crap you already know you shouldn't be doing and keep yourself patched.

Having an OS with a tiny market share that no one's bothering to hack helps too... :P

(Stupid) Useful Malaware Tricks? (3, Interesting)

kyashan (919683) | more than 5 years ago | (#25677713)

..a bit OT, but sometimes I wonder when will be the year of malaware on Linux or OS X.

Re:(Stupid) Useful Malaware Tricks? (1)

i.r.id10t (595143) | more than 5 years ago | (#25678239)

Hey, you've just been hit with a random Linux virus! Change to /etc and using sudo or su (your choice) please delete 3 random files or directories. Thanks!

Re:(Stupid) Useful Malaware Tricks? (0)

Anonymous Coward | more than 5 years ago | (#25681447)

As soon as there is more commercial closed source Linux compatible software that uses it's own proprietary installer, rather than the distro's official repositories.

Why? Because the next thing will be cracked versions of that software, and so the terrible descent into a Windows like acquisitive culture begins.

The GPL and the general good attitude of Linux users is the best anti-virus. However, it will only work until attitude is lost or diluted among lots of new users who don't 'get it'.

Ugh! Scanners! (3, Interesting)

flajann (658201) | more than 5 years ago | (#25677761)

One thing I absolutely despise with the AV scanners is just that -- the scanning, that eats up performance both disk-wise and cpu-wise, and always seem to run at the wrong times -- when I am using the machine!

This scanning aspect grows even more germane as we ascend into the commonality of terabyte drives.

We need better approaches to checking files for infections or payloads -- like checking them thoroughly once and then checking any newly created or altered ones at the time of alteration. But even there you take a performance hit, and I know most AV systems already does this to some extent (but will rescan all the drives periodically).

Ah, gotta love Windows. I much prefer to have a clean system and avoid any operations that might introduce a payload -- like running IE, for example.

Google's attempts to flag questionable sites is half-baked, and depends on GoogleBots catching the vulnerabilities before your browser does. And for the poor site owner that's been compromised, Google fails to provide enough details for the site owner to eliminate the potential problems.

Well, I don't use Windows as my primary platform for a number of reasons, virus vulnerabilities being one of them. Not to say Linux doesn't have its share, but they are far less common and if you keep up with the latest upgrades, you'll do OK for the most part.

I think we need to go in a direction of relying on hypervisor-wrapped OSes that can do selective rollbacks to the points before infection. This way, you eliminate the need for scanning everything all the time and better yet, you might put some of the malware protection in the hypervisor itself, at a level the guest OS or the malware could never detect nor evade.

Just a thought for free for some enterprising individual to go make $$$$ from!

Re:Ugh! Scanners! (1)

0123456 (636235) | more than 5 years ago | (#25678101)

"One thing I absolutely despise with the AV scanners is just that -- the scanning, that eats up performance both disk-wise and cpu-wise, and always seem to run at the wrong times -- when I am using the machine!"

Funny, isn't it? Windows Defender takes eight and a half hours to scan my 2.5 terabytes of disks, and if I haven't run it for a few days it will start an automatic scan a few minutes after I boot up the PC.

Surely that's the absolutley stupidest possible time for a scanner to run? If I've just booted up the PC it's because I WANT TO USE IT TO DO SOMETHING USEFUL, and not because I want to wait eight hours for a scanner to run. Particularly not a scanner that warns me that I have a malware infection in a .wav file from a game that was released in the 1990s.

Any time my Windows PC slows to a crawl, I can almost guarantee it's because Microsoft have decided that while I'm playing a game is a really, really good time to decide to start an eight hour disk scan.

Re:Ugh! Scanners! (3, Insightful)

jez9999 (618189) | more than 5 years ago | (#25678657)

What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.

A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?

Re:Ugh! Scanners! (3, Interesting)

flajann (658201) | more than 5 years ago | (#25678893)

What I don't understand is how I run NO A/V software (no, really) - I just run Sygate, a software firewall - and I have not gotten any trojans or viruses in the last... 10 years? Yeah I guess I could have one and not know about it, but I doubt it, disk activity and network activity seems normal (except when Skype decides to route a call thru me, why can't people get their own IPv6 IPs damnit??), and I occasionally run a virus/rootkit scanner over my machine and they come up clean.

A/V is probably unnecessary, if you have a reasonably knowledge of how to use a computer. Yeah most don't, but you're posting Slashdot so you probably do. Why do you use one at all?

One reason: Kids.

One kid uses Linux as much as he uses Windows, and understands how to avoid malware. Alas, he has a lot of friends over that have not learned these important lessons.

Not to mention my other -- younger -- kid, who insists of downloading malware from Disney and other sites that *insists* on using IE to run at all.

Re:Ugh! Scanners! (1)

PitaBred (632671) | more than 5 years ago | (#25681827)

If he insists on using IE, run Windows in a virtual machine with snapshots under Linux. Anything not 3D will run fine, and you'll be able to undo crapware installs in Windows very easily.

And honestly? I'd just block all of disney.com. They've proven through their legislation sponsoring and quadruple-charging0 that they view you as nothing more than a bag of money.

BTW, I just checked out Disney.com... most of their flash games and stuff seem to run fine under Linux, and I'm running 64bit Ubuntu with Flash9 in nspluginwrapper. No reason you can't use straight Linux.

Re:Ugh! Scanners! (1)

Sagara Sozou (726002) | more than 5 years ago | (#25678731)

This really reminds me of an argument for HTS+ against NTFS. NTFS requires a big chunk of time to move files around (defragmentation) while the other moves files when they're openned, if it has to.

Re:Ugh! Scanners! (1)

mkraft (200694) | more than 5 years ago | (#25680051)

The problem with scanning something once when it's downloaded and then forgetting about it is what happens if it is a virus, but the AV definitions haven't been updated yet to detect it? This is why AV programs scan files again after the AV definitions have been updated.

Symantec's Norton 2009 line actually tries to increase performance, by keeping a white-list of "good" programs based on data from both Symantec and all it's users (based on automatic submission of the CRC checks of running programs). Once a program is flagged as "good" it won't be scanned again until it is changed. As the OS and most common applications are flagged as "good", there is very little performance hit as compared to older versions where Norton scanned every accessed file in the system.

Their next move... (1)

akad0nric0 (398141) | more than 5 years ago | (#25678041)

...will be to invest money in marketing to find some way in which this study is not "fair"; in other words, how it doesn't align with limited and unrealistic testing methodology that only focuses on very specific ways their tools succeed in detecting malware.

They've done (Skoudis) [sans.org] it before (Secunia) [theregister.co.uk] .

Didn't Consumer Reports say this years ago? (4, Interesting)

tkrotchko (124118) | more than 5 years ago | (#25678221)

A few years back, Consumer Reports took some malware and made some trivial changes and almost all the AV vendors failed that simple test.

If you recall the AV vendors criticized Consumer Reports because they claimed it was the equivalent of producing new malware and that it was irresponsible.

Bottom line... this pretty much proves that AV has little or no value. You use it because everybody tells you that you have to use it, not because it provides any sort of comprehensive security (it doesn't even come close).

Antivirus/Antispyware 2009 (4, Interesting)

Danzigism (881294) | more than 5 years ago | (#25678537)

Working in a repair shop, the most common infection I've seen in the past couple months has been the rogue antivirus/antispyware products. They usually pose as "Antivirus 2009" or "XP Antivirus 2009". They use extremely generic names. Its funny because every customer that has one of these infections, is usually running Norton, Mcafee, Trend Micro, AVG, or any of them. Not ONE of them from 2008 has been able to rid the rogue product. It's funny too because all you have to do is remove a couple lines in HiJackThis and remove the Program Files folder. Although it has made our repair shop a good amount of money, it is annoying having to tell customers why their AV software can't remove such a silly thing. I've been a strong supporter of Panda Antivirus for many years, and I've always thought all the others are extremely bloated. ESPECIALLY NORTON.. HOWEVER, Norton 2009 has literally done a 180 with its performance. It removed XP Antivirus in no time. It barely uses 1% of your CPU when it is idle, and it updates literally every few minutes. I've been extremely impressed with their latest release and would recommend the noobs out there to try a 15 day free trial. But of course, ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez. but fyi, if you would of asked me a month ago about Norton, I would of told you it is ridiculous and extremely bloated crap software, just like the rest.

Re:Antivirus/Antispyware 2009 (0)

Anonymous Coward | more than 5 years ago | (#25679657)

Working in a repair shop, the most common infection I've seen in the past couple months has been the rogue antivirus/antispyware products. They usually pose as "Antivirus 2009" or "XP Antivirus 2009". They use extremely generic names. Its funny because every customer that has one of these infections, is usually running Norton, Mcafee, Trend Micro, AVG, or any of them. Not ONE of them from 2008 has been able to rid the rogue product. It's funny too because all you have to do is remove a couple lines in HiJackThis and remove the Program Files folder. Although it has made our repair shop a good amount of money, it is annoying having to tell customers why their AV software can't remove such a silly thing. I've been a strong supporter of Panda Antivirus for many years, and I've always thought all the others are extremely bloated. ESPECIALLY NORTON.. HOWEVER, Norton 2009 has literally done a 180 with its performance. It removed XP Antivirus in no time. It barely uses 1% of your CPU when it is idle, and it updates literally every few minutes. I've been extremely impressed with their latest release and would recommend the noobs out there to try a 15 day free trial. But of course, ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez. but fyi, if you would of asked me a month ago about Norton, I would of told you it is ridiculous and extremely bloated crap software, just like the rest.

Ditto. We see so many WinXPAV infections. I've found that the 2008 versions are harder to get rid of than the 2009. The latter just usally takes a Malware scan (like MalwareBytes Anti-Malware) but the former requires bleach and holy water.

I too have moved on from Norton, but I may have to give 2009 a look-see.

Re:Antivirus/Antispyware 2009 (2, Funny)

kv9 (697238) | more than 5 years ago | (#25681139)

ultimately running any AV software is a joke if you know how to use your computer correctly and don't download goat pr0n and warez

I've been downloading goat pr0n and warez for years, and I'm OK. well, my computers are.

Re:Antivirus/Antispyware 2009 (1)

Nimey (114278) | more than 5 years ago | (#25681629)

We use Symantec Antivirus 10 and SEP11 here. We've gotten computers infected with variants of that. Seems to slip right past the real-time protection, but if you tell SAV to run a system scan it will find it. Very odd.

Re:Antivirus/Antispyware 2009 (1)

PitaBred (632671) | more than 5 years ago | (#25681853)

I download goat pr0n and warez just to watch it throw up all over itself when run under Wine. The message logs are amusing ;)

Well...then...what would YOU use? (1)

jrbirdman (1281118) | more than 5 years ago | (#25678791)

I'm almost at one of those "No, I won't fix your computer" moments.

If asked (or arm-twisted), which AV vendor would you recommend?

At some point in time, each seems to move to the "front of the line" in terms of quality and performance...then some update comes along and...boom...either or both go into the crapper.

Suggestions?

Re:Well...then...what would YOU use? (1)

fatalGlory (1060870) | more than 5 years ago | (#25682115)

I live on campus at university and the sheer number of n00bs (yes, I said the n word), is occasionally mind blowing.

I tell them all to run spybot-sd and avg8. Spybot because it's free, it detects heaps of stuff (that is still relevant) and removes it. Been using it for years and it has detected *some* issue on every system I have ever installed it on (assuming no other anti-spyware had been running).

I use AVG8 because it's free and it can be made to work with the proxy server at our university.

Free is important because I agree with several other posts on this topic - AV is not that important. Spybot I would say is more important, but more important than both is a firewall. To that end I still tell everyone that asks me what AV they should use that the best AV for them is ZoneAlarm.

This is now requested of Kaspersky (0)

Anonymous Coward | more than 5 years ago | (#25679079)

From the Kaspersky Forums, Kaspersky does not find obfuscated trojans [kaspersky.com] .

-hunag

Old Jedi Malware Tricks (4, Funny)

whitehatlurker (867714) | more than 5 years ago | (#25679861)

These0x00are0x00not0x00the0x00softwares0x00you0x00are0x00scanning0x00for.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>