[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <402F47A0.11921.39464D3B@localhost>
Date: Sun, 15 Feb 2004 10:19:12 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: RE: Re: W2K source "leaked"?
"Drew Copley" <dcopley@...e.com> wrote:
> It is true that there are exploits which can go under the radar.
>
> I have a lot of fascination for these.
>
> Customers can't report to AV or security companies trojans they never
> even knew they had.
>
> The requirement level is high, however:
Yep, but seldom as high as you suggest...
> -> Finding a substantial Window's bug is difficult. Usually. It isn't
> black magic, but it isn't well documented and requires a substantial
> amount of effort.
> -> There is a huge demand to just release the bug to the public through
> Full Disclosure
Or, skip all that palaver and recon your target carefully to determine:
1. What products inspect their incoming Email. Many sites helpfully
leak great scads of valuable information about virus and content
scanner products and versions used just from inspecting the headers of
messages from staff and from bounces. Most sites are even more helpful
if you send specially chosen attachments or specifically styled
messages as they will bounce messages back because they fail one or
other of their virus, spam and other content control filters which
usually cannot resist advertising their maker's products.
2. What products and versions they use for web browsing, Email, etc.
3. If the answers are Windows, IE, Outlook/OE and their virus and
content scanners are not heavily into exploit detection (many claim to
detect exploits but really only detect minor variations on the original
proof of concept code posted by Guninski, http-equiv, etc) then it
should be relatively easy to devise a variation on one of several
currently known exploits to get past the supposed "protection".
> -> traditional trojan models have the trojan listening on a port, always
> active... This can mean it could crash or otherwise reveal itself to the
> end user. Magnify the end user pool and you so magnify the chance for an
> unknown error to reveal itself. Especially across different locale
> systems.
> -> One needs to take care of erasing the tracks back and forth to the
> system. This would mean that one would have to communicate with the
> trojan in a way that would be imperceptible to all of the 'radars'
> people have out there (honeypots, sniffers, firewalls, ids')... The more
> end users or "victims" or "targets" the larger the chance that this
> communication would be seen
> -> One would need to keep silent about all of this. This would rule out
> most people. Except for professionals and true fanatics. Both the
> fanatic and the professional would have to entirely resist the
> temptation to brag about such an amazing feat. Human nature is strongly
> propelled by the need for praise from men... Ego feeding. Forget food
> and shelter. People want glory. So, you either have a loner or someone
> really, really committed to their goal.
> -> One would need to understand the target's AV, IDS and whatever other
> system of protection or evidence gathering they might have in place.
Those are all good points, and especially problematic to someone trying
to surreptitiously build up a bot army or similar. However, if the
object of the exercise is a directed attack by a competitor to steal
proprietary information (be that a listing of your sales database or
the source code of your next "market leading" app), or by organized
crime to get anything worth blackmailing you over (any proprietary data
they could sell to your competitors or any "dirt" -- "we hacked
<your_company_name> and here's the proof" where that kind of exposure
would be damaging to your business' reputation, most of those concerns
are greatly reduced as it only needs to be a one-time hit.
> -> If someone wants to just make a bunch of money by stealing online,
> they don't have to have a new bug and they don't have to jump through
> all of these hoops. So what if they are detected? By then they could
> clean up shop already. It isn't like there is some kind of effective or
> fast police force anywhere dealing with any of this. This is a huge
> factor.
Of course, and that is what the current skiddie fad of mass-
distribution of trivially new RAT variants is all about and why some
RATs target one or more of the the Sub7, Kuang and Mydoom networks to
distribute their RATs and other malware and so on. There are enough
naïve, gullible folk out there to get owned via these methods _AND_ who
aren't using AV that will detect the latest RAT variant either
initially or within a few days (after an update or two) or who aren't
using a firewall to block the outgoing connections, or who won't notice
for weeks or months that their AV and/or firewall has been disabled
(the first action of increasingly many of these kinds of things).
Because there is such an army of naïve users and because there is no
effective law enforcement interest in dealing with the perpetrators of
such "virtual crime" we will keep seeing this end of the market thrive
(most of the skiddies running their RAT generator kits don't even care
that most of the large AVs detect all their "new" variants generically
or heuristically, because they have long since realized that even just
focussing on hitting some portion of the userbase of folk who don't use
(up-to-date) AV is more than enough for most of them).
We've strayed some distance from what, if any, increased security
concerns there are as a result of the Windows source "leak"...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists