[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7bc1b1f0409011900111659ac@mail.gmail.com>
From: uberguidoz at gmail.com (Über GuidoZ)
Subject: Viral infection via Serial Cable
Well stated James, as usual. You'll have to excuse me if it appeared I
participated in the pissing contest. Was only trying to reiterate my
point, not to mention pointing out what I WASN'T talking about. It
seemed there was some confusion.
James Tucker said:
> 4. Most viruses in circulation today use TCP/IP or higher level
> protocols, not native RS232.
AND
> Personally I never saw or heard of a virus which tries to communicate
> with another computer attached to an RS232 port (maybe a laplink
> virus or the like??), as this is an unusual scenario.
Exactly the point I was trying to make. Nothing more, nothing less.
> Rant over.
Aww, just when it was getting good... =)
P.S. Thanks for the Gmail tip. It's working wonders and making my life
much easier.
--
Peace. ~G
On Wed, 1 Sep 2004 20:26:34 +0100, James Tucker <jftucker@...il.com> wrote:
> Once again this discussion is drifting very far away from the FACTS,
> let alone relevance:
>
> 1. On a BBS you connect through a modem; a modem (typically) uses an
> AT command set, and you would require another modem to connect to.
> Data transfer happens as a subset of this command set. These protocols
> are not available at the computer end unless you have built an
> application to emulate a modem.
> 2. On a BBS you would have actively downloaded the file yourself, this
> is not going to happen anywhere near the RS232 in this case, the virus
> will come from an EXTERNAL link first, and the question was if it
> could infect over a new outbound media, RS232.
> 3. As I and others have clearly stated in previous posts, RS232 can
> carry DATA therefore can theoretically transfer a virus.
> 4. Most viruses in circulation today use TCP/IP or higher level
> protocols, not native RS232.
> 5. If a virus could use native RS232 it would require the ability to
> exploit something on the other end, Windows itself does not respond to
> incoming serial data, except where it thinks it has detected a mouse
> (possibly one of the best ways to exploit this unit) this would be an
> almsot impossible to compute exploit however.
> 6. TCP/IP can be turned on for use over RS232 ports in Windows, this
> shows up as "Incoming Connections" in the network connections folder.
> It is unlikely this has been done, however if it has it should be
> locked down. This method would require the client computer to also run
> a TCP/IP stack at the other end, if this has not been set up by the
> user then we have a further likelihood of no TCP/IP stack attached (in
> software) to the RS232 port.
> 7. There are other serial protocols in existence besides TCP/IP,
> however these are not available by default on an NT box, furthermore
> most of these protocols have a "wait for accept" implementation.
> 8. The most feasable form of exploit which could be used against this
> box in all likelihood would be to not exploit it at all, but just to
> send (protocol wise) fully legal messages to the unit, instructing it
> to do something it otherwise would never be intended to do.
>
> If you want to have an "i'm an old fogey" or "mines bigger than yours"
> contest please do it off the list. There are always people in the
> world who will know more than you on a particular topic, and there are
> always bigger bullies somewhere else in the world. You can't beat them
> by not joining forces so stop pissing on each other and just start
> learning please. While this list is unmoderated, and I agree with
> that, your responses are unnecessary and not even interesting to read.
> Oh and for the pissing contest anyway, I'm under 25 and I used to
> actively use a 1200 baud for BBS access, frankly it seems neither of
> you understand how viruses worked in those days (despite probably
> having been there before me). That would be hyperterm style not phpBB
> style. One such example would be the hamster virus:
> http://www.f-secure.com/v-descs/hamster.shtml, a virus not indexed by
> most anti virus companies anymore. The Firkin virus used to sometimes
> dial out on modems, typically dialing 911; it would do this by probing
> all the RS232 ports on the machine and using the AT command set to
> control a modem - not appropriate here. Personally I never saw or
> heard of a virus which tries to communicate with another computer
> attached to an RS232 port (maybe a laplink virus or the like??), as
> this is an unusual scenario. Even more unusual than that would be a
> live protocol suitable for data transfer, code execution, and / or
> general exploitation; the only exception being a known network
> protocol, which would provide a higher layer for the virus to interact
> with.
> Rant over.
Powered by blists - more mailing lists