lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 15 Feb 2004 10:19:12 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: RE: Re: W2K source "leaked"?


"Drew Copley" <dcopley@...e.com> wrote:

> It is true that there are exploits which can go under the radar. 
> 
> I have a lot of fascination for these. 
> 
> Customers can't report to AV or security companies trojans they never
> even knew they had.
> 
> The requirement level is high, however:

Yep, but seldom as high as you suggest...

> -> Finding a substantial Window's bug is difficult. Usually. It isn't
> black magic, but it isn't well documented and requires a substantial
> amount of effort.
> -> There is a huge demand to just release the bug to the public through
> Full Disclosure

Or, skip all that palaver and recon your target carefully to determine:

1.  What products inspect their incoming Email.  Many sites helpfully 
leak great scads of valuable information about virus and content 
scanner products and versions used just from inspecting the headers of 
messages from staff and from bounces.  Most sites are even more helpful 
if you send specially chosen attachments or specifically styled 
messages as they will bounce messages back because they fail one or 
other of their virus, spam and other content control filters which 
usually cannot resist advertising their maker's products.

2.  What products and versions they use for web browsing, Email, etc.

3.  If the answers are Windows, IE, Outlook/OE and their virus and 
content scanners are not heavily into exploit detection (many claim to 
detect exploits but really only detect minor variations on the original 
proof of concept code posted by Guninski, http-equiv, etc) then it 
should be relatively easy to devise a variation on one of several 
currently known exploits to get past the supposed "protection".

> -> traditional trojan models have the trojan listening on a port, always
> active... This can mean it could crash or otherwise reveal itself to the
> end user. Magnify the end user pool and you so magnify the chance for an
> unknown error to reveal itself. Especially across different locale
> systems.
> -> One needs to take care of erasing the tracks back and forth to the
> system. This would mean that one would have to communicate with the
> trojan in a way that would be imperceptible to all of the 'radars'
> people have out there (honeypots, sniffers, firewalls, ids')... The more
> end users or "victims" or "targets" the larger the chance that this
> communication would be seen
> -> One would need to keep silent about all of this. This would rule out
> most people. Except for professionals and true fanatics. Both the
> fanatic and the professional would have to entirely resist the
> temptation to brag about such an amazing feat. Human nature is strongly
> propelled by the need for praise from men... Ego feeding. Forget food
> and shelter. People want glory. So, you either have a loner or someone
> really, really committed to their goal. 
> -> One would need to understand the target's AV, IDS and whatever other
> system of protection or evidence gathering they might have in place. 

Those are all good points, and especially problematic to someone trying 
to surreptitiously build up a bot army or similar.  However, if the 
object of the exercise is a directed attack by a competitor to steal 
proprietary information (be that a listing of your sales database or 
the source code of your next "market leading" app), or by organized 
crime to get anything worth blackmailing you over (any proprietary data 
they could sell to your competitors or any "dirt" -- "we hacked 
<your_company_name> and here's the proof" where that kind of exposure 
would be damaging to your business' reputation, most of those concerns 
are greatly reduced as it only needs to be a one-time hit.

> -> If someone wants to just make a bunch of money by stealing online,
> they don't have to have a new bug and they don't have to jump through
> all of these hoops. So what if they are detected? By then they could
> clean up shop already. It isn't like there is some kind of effective or
> fast police force anywhere dealing with any of this. This is a huge
> factor.

Of course, and that is what the current skiddie fad of mass-
distribution of trivially new RAT variants is all about and why some 
RATs target one or more of the the Sub7, Kuang and Mydoom networks to 
distribute their RATs and other malware and so on.  There are enough 
naïve, gullible folk out there to get owned via these methods _AND_ who 
aren't using AV that will detect the latest RAT variant either 
initially or within a few days (after an update or two) or who aren't 
using a firewall to block the outgoing connections, or who won't notice 
for weeks or months that their AV and/or firewall has been disabled 
(the first action of increasingly many of these kinds of things).

Because there is such an army of naïve users and because there is no 
effective law enforcement interest in dealing with the perpetrators of 
such "virtual crime" we will keep seeing this end of the market thrive 
(most of the skiddies running their RAT generator kits don't even care 
that most of the large AVs detect all their "new" variants generically 
or heuristically, because they have long since realized that even just 
focussing on hitting some portion of the userbase of folk who don't use 
(up-to-date) AV is more than enough for most of them).

We've strayed some distance from what, if any, increased security 
concerns there are as a result of the Windows source "leak"...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists