| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Re: W2K source "leaked"? "Drew Copley" <dcopley@...e.com> wrote: > It is true that there are exploits which can go under the radar. > > I have a lot of fascination for these. > > Customers can't report to AV or security companies trojans they never > even knew they had. > > The requirement level is high, however: Yep, but seldom as high as you suggest... > -> Finding a substantial Window's bug is difficult. Usually. It isn't > black magic, but it isn't well documented and requires a substantial > amount of effort. > -> There is a huge demand to just release the bug to the public through > Full Disclosure Or, skip all that palaver and recon your target carefully to determine: 1. What products inspect their incoming Email. Many sites helpfully leak great scads of valuable information about virus and content scanner products and versions used just from inspecting the headers of messages from staff and from bounces. Most sites are even more helpful if you send specially chosen attachments or specifically styled messages as they will bounce messages back because they fail one or other of their virus, spam and other content control filters which usually cannot resist advertising their maker's products. 2. What products and versions they use for web browsing, Email, etc. 3. If the answers are Windows, IE, Outlook/OE and their virus and content scanners are not heavily into exploit detection (many claim to detect exploits but really only detect minor variations on the original proof of concept code posted by Guninski, http-equiv, etc) then it should be relatively easy to devise a variation on one of several currently known exploits to get past the supposed "protection". > -> traditional trojan models have the trojan listening on a port, always > active... This can mean it could crash or otherwise reveal itself to the > end user. Magnify the end user pool and you so magnify the chance for an > unknown error to reveal itself. Especially across different locale > systems. > -> One needs to take care of erasing the tracks back and forth to the > system. This would mean that one would have to communicate with the > trojan in a way that would be imperceptible to all of the 'radars' > people have out there (honeypots, sniffers, firewalls, ids')... The more > end users or "victims" or "targets" the larger the chance that this > communication would be seen > -> One would need to keep silent about all of this. This would rule out > most people. Except for professionals and true fanatics. Both the > fanatic and the professional would have to entirely resist the > temptation to brag about such an amazing feat. Human nature is strongly > propelled by the need for praise from men... Ego feeding. Forget food > and shelter. People want glory. So, you either have a loner or someone > really, really committed to their goal. > -> One would need to understand the target's AV, IDS and whatever other > system of protection or evidence gathering they might have in place. Those are all good points, and especially problematic to someone trying to surreptitiously build up a bot army or similar. However, if the object of the exercise is a directed attack by a competitor to steal proprietary information (be that a listing of your sales database or the source code of your next "market leading" app), or by organized crime to get anything worth blackmailing you over (any proprietary data they could sell to your competitors or any "dirt" -- "we hacked <your_company_name> and here's the proof" where that kind of exposure would be damaging to your business' reputation, most of those concerns are greatly reduced as it only needs to be a one-time hit. > -> If someone wants to just make a bunch of money by stealing online, > they don't have to have a new bug and they don't have to jump through > all of these hoops. So what if they are detected? By then they could > clean up shop already. It isn't like there is some kind of effective or > fast police force anywhere dealing with any of this. This is a huge > factor. Of course, and that is what the current skiddie fad of mass- distribution of trivially new RAT variants is all about and why some RATs target one or more of the the Sub7, Kuang and Mydoom networks to distribute their RATs and other malware and so on. There are enough na?ve, gullible folk out there to get owned via these methods _AND_ who aren't using AV that will detect the latest RAT variant either initially or within a few days (after an update or two) or who aren't using a firewall to block the outgoing connections, or who won't notice for weeks or months that their AV and/or firewall has been disabled (the first action of increasingly many of these kinds of things). Because there is such an army of na?ve users and because there is no effective law enforcement interest in dealing with the perpetrators of such "virtual crime" we will keep seeing this end of the market thrive (most of the skiddies running their RAT generator kits don't even care that most of the large AVs detect all their "new" variants generically or heuristically, because they have long since realized that even just focussing on hitting some portion of the userbase of folk who don't use (up-to-date) AV is more than enough for most of them). We've strayed some distance from what, if any, increased security concerns there are as a result of the Windows source "leak"... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists