lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF16EB6190C@EX2010.hammerofgod.com>
Date: Tue, 23 Nov 2010 16:25:04 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "Mikhail A. Utin" <mutin@...monwealthcare.org>, Ryan Sears
	<rdsears@....edu>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: virus in email RTF message MS OE almost
 disabled

You may be a complete idiot, but at least you're determined.  If anyone is going to help, you have to give them something to work from, not "it happened on my home PC."  It is truly frightening to see someone with such an utter lack of the most basic of any security understanding actually getting paid to protect medical information (your HIPPA violation is forthcoming, someone will see to that) and taking jobs away from people who deserve them, but I'll reserve further comment for my "Tard of the Month" blog I'll begin with you.  

Here is the most basic of information you need to provide anyone who could possible help you.  

What OS are you running?  What version of OE?  What version of Office are you running, and what components are installed?  Which service packs are installed?  What AV/Malware products are installed and what are the results of scans?  What are the actual attachment details?   Did it even occur to you that the filename might give someone a clue?  What network connections are open?  Does a TCP capture show anything valuable?  How can you have any reasonable expectation of reaching your goal when literally, the only thing you've told us is that you have OE, and RTF file, your home computer, and that it is OK to tell the Full Disclosure list the details of your organization?

And finally,  do you actually think someone who is trying to help you, for FREE, is going to fill out whatever you think is "appropriate paperwork" to get a copy of this evil RTF file?   You should also shed some light on what you mean by "public emails...are prohibited by policies."  What policies?  How are you prohibiting public emails?  First clue is that it obviously isn't working... 

The questions are, of course, rhetorical.  If you don't know what questions to ask, you surely won't know what to do with the answers.   Security Basics is a far better list for you. 

t

-----Original Message-----
From: Mikhail A. Utin [mailto:mutin@...monwealthcare.org] 
Sent: Tuesday, November 23, 2010 7:04 AM
To: Ryan Sears; Thor (Hammer of God)
Cc: full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] virus in email RTF message MS OE almost disabled

This my final reply.
For still interested:
- it happened on my home PC
- immediately disconnected (for a few interested people I can forward email to taste this thing after receiving appropriate paperwork)
- it is beyond MS released SPs for Office and Windows
- using this list is OK as we discuss vulnerabilities
- using corporate email is not prohibited to discuss professional topics
- public emails, charts/IM, social sites are prohibited by policies
 
Sorry, I was looking for a few short ideas and mostly for known cases, but not lecturing. I'll fix it, not a big deal. Expect others as having some knowledge as well and do not waste time. BTW, certifications help in all covered matters, believe me. Even in understanding that other may know something and do have certain experience.

If you know such cases, please, reply. Otherwise do not waste your and computer energy.

Thank you

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA 
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114
http://www.commonwealthcare.org
mutin@...monwealthcare.org


-----Original Message-----
From: Ryan Sears [mailto:rdsears@....edu] 
Sent: Monday, November 22, 2010 5:41 PM
To: Thor (Hammer of God)
Cc: full-disclosure@...ts.grok.org.uk; Mikhail A. Utin
Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost disabled

Yeah I've got to go with Thor on this one. 

You endangered your entire infrastructure by exposing internal defects in your (or your staffs) knowledge. That's a big no-no. Every company presumably has people in it who aren't the 'sharpest tools in the shed' so to speak, but in one email you've divulged more then enough information to mount a social-engineering attack to gain access to not only your home computer, but assuming you're using the same passwords for everything, *everything you run*. 

Don't ask questions about this kind of stuff on FULL-DISCLOSURE. This is a security mailing list, and you asking if you got a virus is equivalent to installing that retardo purple dancing monkey and being suprised it's backdoored your computer. You're going to be endlessly flamed for it, because you're wasting people's time to make you look like a fool.

The fact that you're looking for newly installed executables is a joke, really. Most modern initial exploitation vectors have been built to run fully in memory, never hitting the disk. Also thanks to DLL migration you can instantly exploit then migrate to something like explorer.exe. You should've been looking for network connections as opposed to an entry in your uninstall menu saying 'l33t M$0FFICE expl0itz lul!'.

While Thor's response might have been a bit sharp-tonged, I share his frustrations and agree with him whole-heartedly. Too many times our most important information is stored in the hands of people who either don't think about security, or blatantly ignore it. This is not only disturbing, but sad as well. What's the point in protecting my information on my private network if it's going to be poached when it enters YOUR hands? Hackers look for the path of least resistance, and operate on the old adage 'work smart, not hard'.

You sir, are a classic example of why certifications and titles are a bad idea, and are currently failing our industry. How can you call yourself a 'genius' if you aren't actually one? How can a CISSP *not* know about basic virus/exploitation behavior? You're the equivalent to the people who go to a garage sale, buy a purple heart then tell everyone to call him 'sarge'. I'd say spend 10 min googling for some file format analyzers (which aren't the greatest but MIGHT catch blatant stuff like that assuming there's something there), then spend another 10 finding a professional to help you re-order your infrastructure, and look at your company through the eyes of a hacker, not just someone who read a few paragraphs on security then decided to call them-self a 'security professional'. 

Sorry if I seem impatient, but this is the *exact* behavior that all of our infrastructures should be not only curving,  but cauterizing with fire. If you don't understand about file-format vectors of attack, LEARN ABOUT THEM. Don't expect to get spoon-fed answers, but we live in a time where *any* question can be answered within a minute of googling, and that's if your google-fu ISN'T strong.

Google-fu. That's how you become half-decent at anything now-a-days. There are vast communities centered around everything from web attacks, ring-0 level exploits, wireless hacking, embedded devices, and everything else in-between. We all start off as n00bs, but the difference is the people who actually want to learn do, because they enjoy learning about it, and go seek the knowledge relevant to them. If you wanted any real help, you should've enclosed the file in question, not just said there was some mystery file that caused some cpu load. Welcome to Windows. That happens quite often. 

Ryan Sears

----- Original Message -----
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "Mikhail A. Utin" <mutin@...monwealthcare.org>
Cc: full-disclosure@...ts.grok.org.uk
Sent: Monday, November 22, 2010 4:52:07 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost disabled

Keep it on the list.  No need for private emails if you need assistance - give everyone a chance!

My response was far more useful than your post - "I got pwned by an Office virus by opening an attachment in OE - What could it be??"  Jeeze dude.  And I didn't give any "adice" about "Noton."  I said to get someone professional, which you *clearly* need to do. 

You should look up these guys:  
http://www.rubos.com/pisa.html

Apparently they are Information System Security Professionals, and they are in the same town as you.  One even has a CISSP, so you KNOW that he knows what he is doing.  Funny thing is that he has the exact same name as you do.  What are the chances of that?  If these guys formed the company to sell services to businesses and individuals to comply with legal security and privacy requirements, then they should be able to figure out how to find an Office virus on XP, right?

You can even join them as "Security professionals and experienced Information Sestems professionals are welcome."  I'm not sure what a "Sestems professional" is, but it must be very important work.

Waste of time indeed.  Apple Stores are hiring "geniuses" for the holidays - even they know how to use XP and could help. 

t





From: Mikhail A. Utin [mailto:mutin@...monwealthcare.org] 
Sent: Monday, November 22, 2010 1:26 PM
To: Thor (Hammer of God)
Subject: RE: virus in email RTF message MS OE almost disabled

Your email is useless. It is on my home PC. If you have better adice than using Noton SW, then please use your mind to get something minigful.
If you can name the virus or where to find its instance, it would be a help. Otherwise do not waste you and my time.

From: Thor (Hammer of God) [mailto:thor@...merofgod.com] 
Sent: Monday, November 22, 2010 3:17 PM
To: Mikhail A. Utin; full-disclosure@...ts.grok.org.uk
Subject: RE: virus in email RTF message MS OE almost disabled

You know, every time I start to get a bit of hope for what looks like an upward trend of businesses and organizations taking security seriously, I see crap like this.  Your organization is a Medicare prescription contractor with a national network of 61,022 contracted pharmacies, and not only are you running unpatched versions of old OS's and opening email attachments because they "look OK," but you have to post to Full Disclosure asking help for trivial virus detection and removal advice?   Now that everyone on FD knows that you are vulnerable and that you open email attachments, you've probably just caused the organization to be pwned 9 ways from Sunday. 

To answer your question, call a professional and have them do it.  And in the future, don't send out emails like this from your organization email announcing the state of your security.  That's what Hotmail is for.  

t

From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Mikhail A. Utin
Sent: Monday, November 22, 2010 7:18 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] virus in email RTF message MS OE almost disabled

Hello,
Opening looking OK email message in my MS OE I've very likely got new kind of virus, which exploits MS Office flaw recently announced. Immediately after, my OE started consuming huge memory when I switched between folders or messages. I've not seen any process in Task Manager taking up to 1 GB memory (physical is 512M). I did not find any newly installed executables either. When I shut down OE, the computer works fine.
Any thoughts?
Thank you

Mikhail
CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ