http://gmail.google.com/gmail/a-970ef743f-f6551646fd-77f3bdf643
Offlist requests are welcome ... enjoy :-)
Warm regards,
Sandeep.
(Calcutta, India).
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-
| Motorola Wireless Router WR850G Authentication Circumvention |
-
Date: 09-23-2004
Author: Daniel Fabian
Product: Motorola Wireless Router
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200409-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
In some mail from Matt, sie said:
GuidoZ wrote:
Interesting indeed. Although, I imagine this was a spam email, and I
never believe (nor buy) anything from spam. I wondr how credible this
really is. If there was such a way to do what they claim, don't you
think it would have been big
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Nothing
new about rootkits. They arent big news because they are old news.
Although depressing this is defiantly possible.
James Cupps
InformationSecurity Officer
Well, on my WinXP SP1 machine, the shellcode will not excecute when
displayed in a web browser (firefox PR1 and IE 6 SP1).
It will however excecute when windows opens the folder that it's in
(trying to make a thumbnail i would assume.) A few seconds after the
command window opens, explorer
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from
It
depends on which kit they based it on. My guess is these guys werent good
enough to do the coding themselves so they stole someone elses code. Of
course I can t think of any rootkits under any kind of license so I
Well, on my WinXP SP1 machine, the shellcode will not excecute when
displayed in a web browser (firefox PR1 and IE 6 SP1).
It will however excecute when windows opens the folder that it's in
(trying to make a thumbnail i would assume.) A few seconds after the
command window opens, explorer
Nothing new about rootkits. They aren't big news
because they are old news.
Although depressing this is defiantly possible.
Old news, yes...but to some, not everyone. Taking
users (home, corporate, academic, etc.) out of it,
sysadmins and LEOs are still way behind when it comes
to
Most people that work with Linux and UNIX in a corporate network
understand the risks involved when using root. There isn't a big push in
the Microsoft world for this however. Microsoft can't push the don't
run as admin rule because the majority of people running it wouldn't
understand the risks
It depends on which kit they based it on. My guess
is these guys weren't
good enough to do the coding themselves so they
stole someone else's code.
That, or they're learning (rootkit coding training via
Blackhat), or they're simply purchasing it (there are
folks who do custom rootkit coding
Title: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from
True,
points taken.
James Cupps
InformationSecurity Officer
-Original Message-
From: Harlan Carvey
[mailto:[EMAIL PROTECTED]
Sent: Thursday,
September 23, 2004 9:38 AM
To: [EMAIL PROTECTED]
Cc:
FYI, Symantec uses the Bloodhound name on heuristic detection. Therefore
IMHO, this detection can work but shouldn't be trusted as protection,
just yet.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Silva
Sent: Thursday, September 23, 2004 8:16 AM
Opps left off one of my closing )'s
I guess that one won't compile (at least if the compiler is any good).
In re-reading that I need to stop nesting things when I am just talking
sorry folks :)
James Cupps
Information Security Officer
-Original Message-
From: Cupps, James
Sent:
Title: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Again
true,
The thing that has me worried about this
(at least enough to justify the posts) is that this seems to be an avenue for
growth in kits.
One of the things that has
Title: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from
Skill
is skill. You are right in that they are two different skill sets but most of
the people that would have the ability to do one are also capable of the other.
Logically you are right. One does not lead
to the
The thing that has me worried about this (at least
enough to justify the
posts) is that this seems to be an avenue for growth
in kits.
That's exactly what it is.
On a slightly tangential note, while many people I
know of in the security community bash Microsoft, I've
more often been
FYI, Symantec uses the Bloodhound name on heuristic detection. Therefore
IMHO, this detection can work but shouldn't be trusted as protection,
just yet.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Silva
Sent: Thursday, September 23, 2004 8:16 AM
FYI, Symantec uses the Bloodhound name on heuristic detection. Therefore
IMHO, this detection can work but shouldn't be trusted as protection,
just yet.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Silva
Sent: Thursday, September 23, 2004 8:16 AM
I stand corrected. I hadn't thought about this...
More specific to the Windows environment, what we're
talking about is API hooking, and then more advanced
stuff such as DKOM, or direct kernel object
manipulation. This is where the linked listed used to
maintain a list of processes is
It is quite possible to hide processes, reg keys and files, and is often
done by various malware.
Aye. I didn't word my statements correctly. (Was tired... =P ) You are
very much correct.
I guess I was trying to speak along the lines of AV detection and
forensics. I've yet to find a rootkit,
I've been finding a few compromised
Windows systems on our campus that have a random port open with a banner
of 220 StnyFtpd 0wns j0. All the systems seem to be doing
SYN scans on port 445 and LSASS buffer overflow attempts. Anyone
know what worm/bot is doing this? I don't have access to these
###
Luigi Auriemma
Application: ActivePost Standard
http://www.activepost.net
Versions: = 3.1
Platforms:Windows
Bugs: - File-Server crash
- File-server
snip
As casually as he can, Joe tries a little privilege
escalation maneuver on her back Orifice
snip
ROTLMAO got to admit the best laugh I've had all day
___ALL-NEW Yahoo! Messenger -
all new features
Windows is likely the most susceptible to such an
attack due to the
limited amount of people that fully understand the
kernel and flow
chart of processes. (Or those that don't put 2 and
2 together, like myself.)
I realize that this is purely speculation on your
part, but I'd be careful
Ryan,
I've been finding a few compromised Windows systems
on our campus that
have a random port open with a banner of 220
StnyFtpd 0wns j0. All the
systems seem to be doing SYN scans on port 445 and
LSASS buffer overflow
attempts. Anyone know what worm/bot is doing this?
I don't
Ryan-
Looks like you have Kibuv_B
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.BVSect=T
Take care-
James
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ryan
SumidaSent: Thursday, September 23, 2004 1:42 PMTo:
[EMAIL PROTECTED]Subject:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.BVSect=T
Ryan Sumida wrote:
I've been finding a few compromised Windows systems on our campus that
have a random port open with a banner of 220 StnyFtpd 0wns j0. All
the systems seem to be doing SYN scans on port 445 and
Could
be a variant of the Win32/kibuv.b
worm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.BVSect=T
Maybe
it scans for the LSASS buffer overflow. Is there a FTP server on 7955? a
backdoor on 420?
This
worm also tries to connect to a IRC channel via port
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Couple things to look for.
1.connections to IRC
2.are the names in the IRC connection random and look generated
3.time intervals
4.does it appear that the machines on the network are getting patched
if you run a vuln scanner against them and once
Greetings list!
I've just hit this url and i think it's a pretty intelligent/useful
idea. I hope it wasn't already brought to
your attention, and if it already was and you feel like flaming then send
in private. Thanks!
http://fightspam.nm.ru/
stealen from the site:
The whole time this
We all know it doesn't take a lot to hide from the normal everyday user
on the internet. I believe that is what they meant by hide from
everything. Of course it isn't completely hidden. But normal users are
not sniffing packets from a computer on a isolated network to find
things.
We live in a
I realize that this is purely speculation on your
part, but I'd be careful about saying things like
this. The reason is that understanding the kernel
and flow chart of processes isn't really the issue.
Yes, it was mostly speculation. The most common problem I run into on
a daily basis is
Title: RE: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_K
IBUV.BVSect=T
Mike
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Cute idea, but basically illegal...it's a DDOS just the clients are
compromised via social engineering not some nifty leet hack.
John
On Thu, Sep 23, 2004 at 03:10:55PM -0400, The Devilous Angel wrote:
Greetings list!
I've just hit this url and i think it's a pretty intelligent/useful
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Some
of them can (almost) hide from everything because of the way they integrate. Take
Alpha for example. You arent going to find it with any tools that a
standard system has. OK
Thank you all for the help, I definitily
appreciate it. The last system I checked had ftp running on port
15708 which makes me believe it is not the WORM_KIBUV.B but a similar variant.
Sorry for the unnecessary post, I googled the whole string which
didn't come back with anything. I should have
On Thu, 23 Sep 2004 19:12:22 +0100 (BST), Steve R
[EMAIL PROTECTED] wrote:
snip
As casually as he can, Joe tries a little privilege
escalation maneuver on her back Orifice
snip
ROTLMAO got to admit the best laugh I've had all day
I guess my comment further down was overlooked:
GuidoZ said:
To save someone else from saying this, I'll reply to my own comment. =)
I've yet to find a rootkit, spyware, or malware that is
COMPLETLY hidden, in every aspect, from the user.
Well, DUH. How could you find it if it was
I've been finding a few compromised Windows systems on our campus that
have a random port open with a banner of 220 StnyFtpd 0wns j0. All the
systems seem to be doing SYN scans on port 445 and LSASS buffer overflow
attempts. Anyone know what worm/bot is doing this? I don't have access
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200409-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
Am Donnerstag, 23. September 2004 21:10 schrieb The Devilous Angel:
Hi,
I've just hit this url and i think it's a pretty intelligent/useful
idea. I hope it wasn't already brought to
your attention, and if it already was and you feel like flaming then send
in private. Thanks!
You can try scanning it if you have the file.
http://virusscan.jotti.dhs.org
Ryan Sumida wrote:
Thank you all for the help, I definitily appreciate it. The last
system I checked had ftp running on port 15708 which makes me believe
it is not the WORM_KIBUV.B but a similar variant. Sorry for
As I referenced in my previous reply, Todd stated what I was arguing against.
We all know it doesn't take a lot to hide from the normal everyday user
on the internet. I believe that is what they meant by hide from
everything. Of course it isn't completely hidden. But normal users are
not
Then maybe you're too young to. ;)
--
Peace. ~G
On Thu, 23 Sep 2004 16:33:23 -0400, Ill will [EMAIL PROTECTED] wrote:
On Thu, 23 Sep 2004 19:12:22 +0100 (BST), Steve R
[EMAIL PROTECTED] wrote:
snip
As casually as he can, Joe tries a little privilege
escalation maneuver on her back
Yeah, most shold understand what's taking place. The subject of the
email gives it away pretty well. =)
In case you're still wondering, here's what I believe those terms mean:
- HUP: Perl client for the Uptimes Project. (http://www.uptimes.net/)
- TEMPEST: Acronym has been argued.
Some of them can (almost) hide from everything
because of the way they integrate.
Not everything...check out my book.
Even hashes
won't work for program execution detection very
well.
I'm not entirely clear on how a hash of a file
pertains to detecting the execution of a program...can
On Thu, 23 Sep 2004 20:31:44 -0700, GuidoZ [EMAIL PROTECTED] wrote:
- HUP: Perl client for the Uptimes Project. (http://www.uptimes.net/ )
You can get the relation from the first two somewhat easily if you
look at it. HUP being related to Uptime is obvious now, I'd hope. ;)
HUP is also the
A good observation. To be honest, I didn't read the full story, just
took what I knew and tried to apply it. given the context it was used
in, you may very well be correct. =)
--
Peace. ~G
On Thu, 23 Sep 2004 23:04:10 -0500, Kyle Maxwell [EMAIL PROTECTED] wrote:
On Thu, 23 Sep 2004 20:31:44
Yahoo! Store Security Advisory
Advisory: http://securitytracker.com/id?1011403
Date: September 23, 2004
Vendor:Yahoo!
Product: Yahoo! Store
Status:Fixed by the vendor; Coordinated release
Credit:Ben Efros
[EMAIL PROTECTED]
http://www.citiprice.com/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200409-33
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
51 matches
Mail list logo