| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: POSSIBLE TARGETING OF SECURITY RELESE READ
"morning_wood" <se_cur_ity@...mail.com> wrote:
> This is the 4th one now, directly mentioning a security release\
> included is the zip password = exploit
I thought you said you'd leave viruses and suspicious code sent to
the list to those who have at least one clue about what to do with
them and how to handle them?
But then, you announced your "retirement" from the list too and
prompting started more of your usual rubbish, so I guess we should
not be surprised you're back proving your utter cluelessness again
with this...
> I would like to know if others are getting this...
Well, let's see now...
>From the message's full, original headers:
Return-Path: <full-disclosure-admin@...ts.netsys.com>
<<snip Received: headers between netsys.com and me>>
Received: from NETSYS.COM (localhost [127.0.0.1])
by netsys.com (8.11.6p2/8.11.6) with ESMTP id h56NXpX17740;
Fri, 6 Jun 2003 19:33:51 -0400 (EDT)
Received: from abit-usa.com (mail.abit-usa.com [65.123.7.3])
by netsys.com (8.11.6p2/8.11.6) with ESMTP id h56NRgK16845
for <full-disclosure@...sys.com>; Fri, 6 Jun 2003 19:27:42 -0400 (EDT)
Received: from tarantino [192.168.1.46] by abit-usa.com
(SMTPD32-7.07) id A1A23B20066; Fri, 06 Jun 2003 16:20:02 -0700
From: "Keith R. Watson" <keith.watson@...hodon.com>
MIME-Version: 1.0
Message-Id: <200306061620986.SM01320@...antino>
Subject: [Full-Disclosure] Iomega NAS A300U security and inter-operability issues
Sender: full-disclosure-admin@...ts.netsys.com
Errors-To: full-disclosure-admin@...ts.netsys.com
X-BeenThere: full-disclosure@...ts.netsys.com
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@...ts.netsys.com?subject=unsubscribe>
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Post: <mailto:full-disclosure@...ts.netsys.com>
List-Help: <mailto:full-disclosure-request@...ts.netsys.com?subject=help>
List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
<mailto:full-disclosure-request@...ts.netsys.com?subject=subscribe>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
Date: Fri, 6 Jun 2003 16:34:25 -0700
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
it was almost certainly sent via the Full-Disclosure list server.
Aside from the rather obvious, but easily forged, features such as
the Subject: line "modification" and the List-*: and X-* headers,
the Received: trail checks out and while that can be forged, it seems
like a lot of work to spread a couple of days old virus that is
already detected by all virus scanners and has spread profusely all
by itself anyway. Why would someone go to all that effort to target
a security mailing list with something as obvious as an already
well-known, albeit rather new, virus?
Further, your suggestion that this was targeted is also very
unlikely. Bugbear.B -- the virus attached to the original message --
forges sender information and can generate messages based on
material picked up off victim machines, _including_ copies of
previously received Email messages. If you had bothered to look at
the headers and the obvious list archives, you would see that this is
a partial copy of an advisory sent to Bugtraq on 1 November last year
(Google is our friend...). Presumably, due to the self-moderated
feature of this list, the apparent but forged, poster
"Keith R. Watson" <keith.watson@...hodon.com>
is also subscribed to Full-Disclosure too, so the message sailed
straight through the list-processor.
However, the real sender, as partly evidenced here:
Received: from abit-usa.com (mail.abit-usa.com [65.123.7.3])
by netsys.com (8.11.6p2/8.11.6) with ESMTP id h56NRgK16845
for <full-disclosure@...sys.com>; Fri, 6 Jun 2003 19:27:42 -0400
(EDT)
Received: from tarantino [192.168.1.46] by abit-usa.com
(SMTPD32-7.07) id A1A23B20066; Fri, 06 Jun 2003 16:20:02 -0700
should raise some worries with users of ABIT system boards and other
components. Can you trust the software on their CDs if they are so
careless and security unaware to:
1. Have allowed this into their network in the first place.
2. Have allowed it to be executed.
3. _Not_ be scanning and blocking outgoing Email as thoroughly as
they should be scanning and blocking incoming mail
The second point further breaks down, assuming that the original
infection arrived via Email, into:
Either:
2a. Have really old, unpatched and known grievously unsafe, copies
of IE on Internet exposed machines (Bugbear.B has an auto-execute on
view function that depends on the MS01-020 vulnerability -- the
so-called "Incorrect MIME Header" bug -- patched over two years ago
and used by most mass- mailing binary viruses in the last two years)
2b. Have sufficiently weak systems in place that allow users to
execute arbitrary executables arriving through Email _on Internet
exposed machines_ (various Outlook and OE security patches can easily
prevent executable attachments of Bugbear's type from being accessed
by users)
If the virus did not arrive by Email, then the second point shows us
their other internal security processes are clearly inadequate -- a
home user may have injected the virus through a dial-up or VPN
connection from an inadequately protected machine, a consultant,
remote or travelling worker could have injected it by plugging a
laptop infected elsewhere into the LAN, or the LAN may have Windows
shares somewhere exposed to the Internet.
Whatever -- it all boils down to a big question of "should you allow
code that these folks have touched near your machines"?
Score one very big black-eye for ABIT.
And back to Mr Wood for moment...
There was no need for you to send a second copy of the virus to the
list. I'm sure the list admins would have preferred you showed some
respect for their bandwidth, given the attachment had clearly almost
surely already been sent to the whole list. As your "profressional"
security research skills clearly do not extend to full SMTP message
header analysis, use of Google as a "research tool" nor the ability
to check well-known antivirus and security sites for descriptions of
current and recent virus outbreaks and the workings of said viruses,
you should at least have had the decency to the list of posting a
_description_ of what happened to you (or better, the full headers,
though that is probably also beyond your "profressional" skill-set
still), asked if anyone else saw it, what it was and so on.
> thanks
You're welcome, but I'd rather not have to keep doing this because
you finally realize the extent of your limitations and stop making
such inappropriate posts...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists