RE: WMF and the Windows Vulnerability Drought :>

["nahual () g-con org" <nahual () g-con org>]

Would have to disagree I worked for kaspersky antivirus research lab so at
least on AV i have my 2 cents to say (needles to say that i worked on the
first steganographic virus on research for g-con 1) ...

And I don’t think having a executable file with CAPS executed a decent
stuff! (real bug on a mayor antivirus less than 6 months ago)

And yet well I would point you to my DIDSE presentation on defcon 9 on IDS
evasion so I guess (not that much) that I do have a point to make in here,
which is, flaming on the corporate side will happen and at least AV engines
will never make a good point on catching but the obvious and needles to say
they will of course get pissed if they have to do more work! since their
update packages will have to be bigger, and that also applies on IDS of
course, and having heuristics on IDS would take a lot of time ... would be
nice ...

Presumably is the way I talk, my 2 cents, don’t like it there is a filter
button somewhere in your client of course! Now retract from the chair take
a chill pill and relax.

//Nahual

-----Mensaje original-----
De: Orlando Padilla [mailto:xbud () g0thead com] 
Enviado el: Lunes, 02 de Enero de 2006 06:24 a.m.
Para: dailydave () lists immunitysec com
Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :>

Wow, El Nahual's post was definitely out of hand and hardly relevant.  AV 
engines have a job to do, and its mostly to contain - to a degree a new 
threat and they do a fair job of this in a (usually) decent amount of 
response time.   With few exceptions of course!

Given the fact that the exploit was already circling around in the *wrong* 
crowds should shut these people up.  It took hdm all of 30 minutes to port
it 
to a module and another 40 to evade the IDS engines?   What makes him the
bad 
guy?  He didn't find the bug and disclose it to the spyware industry
someone 
else did, does anyone care to mention this anywhere?  

Normally I would say 'Companies' are still assuming public vulnerabilities
are 
the only ones affecting our networks, but more and more frequently the Sec 
Industry does so as well.

Lets all go learn something at the next SANS conference eh?

Also, if you're going to flame do it constructively (El Nahual) pointless 
cursing and ranting at a defense is ... immature?

Orlando,

On Monday 02 January 2006 02:52 pm, El Nahual wrote:
> Answering within lines:
>
>
> -----Mensaje original-----
> De: H D Moore [mailto:hdm-daily-dave () digitaloffense net]
> Enviado el: Lunes, 02 de Enero de 2006 03:57 p.m.
> Para: dailydave () lists immunitysec com
> Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :>
>
> On Monday 02 January 2006 15:20, Dave Aitel wrote:
> > So I'm not sure why Sans Diary has people calling HD Moore
> > irresponsible, when all he did was point out the brutally obvious: You
> > can't write reliable network IDS signatures for these client side
> > bugs.
> >
> > From the F-Secure web site:
>
> - http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
>
> "Making such tools publicly available when there's no vendor patch
> available is irresponsible. Plain and simply irresponsible. Everybody
> associated in making and publishing the exploit knows this. And they
> should know better. Moore, A.S, San and FrSIRT: you should know better."
>
> -----------
> AkA Im pissed off since i didnt discover the shit
> -----------
>
> The AV industry sure doesn't like it when their products are completely
> inneffective against the biggest exploit of the year. They like it even
> less when you publish a one-byte change that breaks their signatures. I
> can't blame them for being upset, but this public attempt at "scolding"
> is just pathetic.
>
> -------------
> Short answer: Get a fucking engine that Works
> Long answer: Since you are stupid and relay on try to detect every single
> fucking variation of malware you should at least try to get some decent
> heuristics into your engine and not get fooled by the most stupid virus or
> even some not so easy metamorphic viruses, not to say the easiness in
which
> your memory space can be written and you antivirus can just segfault or
> even worse detect to return 0 on your scan routine....
> -------------
>
> On a somewhat funny note, a poll was added to the ISC web site (by Swa
> Frantzen) that I figured the folks on here would appreciate:
>
> ---
> Q: Was the release of the 2nd generation WMF exploit on Dec 31st 2005
> irresponsible ?
>
> 39 % =>Yes, I 'd like to see the authors brought to justice
> 22 % =>Yes, they made the world a worse place
> 28 % =>No, the bad guys had already equal ammunition
> 10 % =>No, I believe the ends did justify the means
> Total Answers: 797
> ---
>
> --------------
> Yeah bring them to justice, but then tose ppl should uninstall Windows
2000
> and XP because god knows Microsoft didnt want to write win2k, nice kernel
> bug on NT4 made it ... guess who owes running xp to run those games on
them
> ...
> --------------
>
> I contacted the ISC team about this -- introducing the exploit authors as
> people that need to be "brought to justice" is about one step from libel.
> So far, only 39% of ISC's visitors want to see my ass thrown in jail. I
> can't help to think that the wording of that first poll option has
> something to do with it.
>
> ---------------
> I'll just quote darkspyrit on this one: "Thinking the public exploit is
the
> only one available is plain stupid". There are massive amounts of
excellent
> hackers and programmers on all the world someone has to come to the bug.
> ---------------
>
> On the same page as the poll is a nice post from Marcus suggesting that
> people check out the Metasploit Framework. Go figure :-)
>
> The poll can be found online at:
> - http://isc.sans.org/
>
> Next poll on the ISC web site, "What limb would you most like to have
> devoured by flesh-eating scarabs?"...
>
> -HD
>
> ---------------
> I bet half of this ppl have used your framework, is just that they are too
> stupid to put the name with the framework yet ....
>
> Just my 2 cents
>
> //Nahual
> ---------------



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .