Re: test of minder remailer
Date: Mon, 29 Aug 2005 09:39:49 -0400 From: Trei, Peter [EMAIL PROTECTED] It looks like the minder remailer is under attack - I've gotten about 20 messages with little or not content, and a small zip file attached. Don't feel picked on. I've noticed about 20/day... About 220 since Aug 19th. Symptoms are: A Content-Type: application/x-compressed; size of 0 or 8 bytes. File, so far, is ALWAYS a .zip with names like payment.zip, funny.zip, account-details.zip, test.zip... May have some text designed to get you to open the .zip... The message is supposed to be from your ISP complaining about your account. Personally, I think it is a virus with a 'bug' because my virus filters have caught about the same number with much larger payloads. Regards, Gregory Hicks PT --- Gregory Hicks| Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400 San Jose, CA 95134 | Internet: [EMAIL PROTECTED] I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision. - Benjamin Franklin The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton
Re: test
At 5:20 AM + 4/29/04, Ryan Lackey wrote: this may or may not go through; I don't know. It works. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Test of BIOS Spyware
On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote: We received the note below about spyware allegedly created for a Maryland agency with code which needs to be tested. We'd appreciate feedback on the note and the code. Beware of a sting. The code: http://cryptome.org/ExpCode.ASM So what? The code hooks into the bootstrap phase of the BIOS, decompresses some unspecified stuff (I have not verified whether it actually *CAN* successfully decompress anything and what algorithm it uses; just skimmed the code to see whether it tries something really spiffy) and executes the injected code at the end of the BIOS bootstrap. This is *NOT* the interesting part. The interesting part is the payload it is to deliver. The claim This enables the software to spy on the user and remain hidden to the operating system. rather interests me. How do they achieve this in an OS-agnostic fashion? I know this may be passing premature judgement, but to be honest I think the code looks pretty amateurish and has at most beta quality. Most Romanian virus writers should be able to come up with something better in less than a day. Give them a week and they have something that works on a *MUCH* wider range of hardware than just two types of mobos/machines. Thanks for the demonstration though. Does this agency seriously think we believe they might be using the above mentioned code in a production environment some day? Tsk tsk tsk... Cheers, Ralf -- Ralf-P. Weinmann [EMAIL PROTECTED]
Re: Test of BIOS Spyware
On Tue, Oct 14, 2003 at 12:44:20PM -0700, John Young wrote: We received the note below about spyware allegedly created for a Maryland agency with code which needs to be tested. We'd appreciate feedback on the note and the code. Beware of a sting. The code: http://cryptome.org/ExpCode.ASM Note to author of code: Look into the Scan User Flash Area option if you ever have to pull this trick on a motherboard with an Intel BIOS. See [1] for instructions on how one might make use of it. Additional exercise: Enable Scan User Flash Area regardless of user setting. Cheers, Ralf [1] How to modify your PR440FXs BIOS images for netbooting http://www.beowulf.org/software/PR440FXNetboot.html -- Ralf-P. Weinmann [EMAIL PROTECTED]