We Read Their Forums Too

I received an e-mail to my personal account, from a student who wanted to ask me about how to detect a paticularly complex virus.
This happens occasionally, so no surprises there.

The virus in question was one on whose detection I had worked several years ago, but which even today remains one of the most complex that we have ever seen. The detection code was almost as complex, given the limitations on the framework that I had available to me at the time. I managed to invent some new techniques within that framework, that no-one thought were possible. It was like coding demos for a legacy machine - small instruction set, limited memory. Making the machine do things that weren't part of the original design. Ah, my wasted youth on the Apple II wasn't quite so wasted after all.

Anyway, I digress.

So, a student wanted to ask me about how to detect a particularly complex virus. He was very persistent, even after I told him that a) the detection is a company proprietary secret; and b) even if I could tell him, I wouldn't. That was one source that, if I owned it, I would have kept to myself. 🙂
Then his phrasing took a slight turn that got me suspicious. I don't know exactly what it was, since the content was essentially the same - maybe some kind of tone, even though it was e-mail. He stopped asking after I addressed him by his nickname. It seems that he might be a virus-writer, after all.

How did I know? That's another secret that I'm going to keep to myself.



Just kidding. He posted to a pro-virus forum that I read in order to know what those guys are doing. Actually, I thought that this was well-known because I've talked about it before... We’re ever-vigilant, scouring multiple sources to connect the dots.
-- Peter Ferrie

Comments (0)

Skip to main content