lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sun, 24 Jul 2005 04:47:25 -0700
From: Crispin Cowan <crispin@...ell.com>
To: Technica Forensis <forensis.technica@...il.com>
Cc: "Black, Michael" <black@...excorp.com>,
	James Longstreet <jlongs2@....edu>,
	Derek Martin <code@...zashack.org>, bugtraq@...urityfocus.com
Subject: Re: On classifying attacks


Technica Forensis wrote:
> This really depends on the situation.  Say I write an exploit that
> when run as a user spawns a listening ssh service with root priv.  I
> get on the system however I do, download this file and exec it.  I
> think everyone would agree that is a local exploit.
> I send that same file as an email attachment to some dolt and peer
> pressure him into running it.  Just because I downloaded the file by
> emailing it to said dolt doesn't change the exploit from local to
> remote. It potentially changes it from 'exploit' to trojan, but it is
> still being executed locally.
>   
That sounds like a compound attack with 2 stages:

    * a social engineering attack to get the victim to run the code
          o can be very simple like "please run this code"
          o can be very sophisticated, like phishing attacks carefully
            crafted to resemble legitimate mail to get the user to click
            on something
    * a local attack that happens when you run the malware

What makes this compound attack "remote" is that the social engineering
attack is remote.

This makes most common viruses compound remote/local attacks with a
remote social engineering attack to somehow induce the user to run a
local attack. The exception to this is e-mail viruses that require no
social engineering because they can exploit some flaw in the preview
pane or such like so that the user only has to browse the mail to run
the malware.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ