Dailydave mailing list archives
RE: WMF and the Windows Vulnerability Drought :>
From: "nahual () g-con org" <nahual () g-con org>
Date: Tue, 3 Jan 2006 20:23:14 -0500
Would have to disagree I worked for kaspersky antivirus research lab so at least on AV i have my 2 cents to say (needles to say that i worked on the first steganographic virus on research for g-con 1) ... And I dont think having a executable file with CAPS executed a decent stuff! (real bug on a mayor antivirus less than 6 months ago) And yet well I would point you to my DIDSE presentation on defcon 9 on IDS evasion so I guess (not that much) that I do have a point to make in here, which is, flaming on the corporate side will happen and at least AV engines will never make a good point on catching but the obvious and needles to say they will of course get pissed if they have to do more work! since their update packages will have to be bigger, and that also applies on IDS of course, and having heuristics on IDS would take a lot of time ... would be nice ... Presumably is the way I talk, my 2 cents, dont like it there is a filter button somewhere in your client of course! Now retract from the chair take a chill pill and relax. //Nahual -----Mensaje original----- De: Orlando Padilla [mailto:xbud () g0thead com] Enviado el: Lunes, 02 de Enero de 2006 06:24 a.m. Para: dailydave () lists immunitysec com Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :> Wow, El Nahual's post was definitely out of hand and hardly relevant. AV engines have a job to do, and its mostly to contain - to a degree a new threat and they do a fair job of this in a (usually) decent amount of response time. With few exceptions of course! Given the fact that the exploit was already circling around in the *wrong* crowds should shut these people up. It took hdm all of 30 minutes to port it to a module and another 40 to evade the IDS engines? What makes him the bad guy? He didn't find the bug and disclose it to the spyware industry someone else did, does anyone care to mention this anywhere? Normally I would say 'Companies' are still assuming public vulnerabilities are the only ones affecting our networks, but more and more frequently the Sec Industry does so as well. Lets all go learn something at the next SANS conference eh? Also, if you're going to flame do it constructively (El Nahual) pointless cursing and ranting at a defense is ... immature? Orlando, On Monday 02 January 2006 02:52 pm, El Nahual wrote:
Answering within lines: -----Mensaje original----- De: H D Moore [mailto:hdm-daily-dave () digitaloffense net] Enviado el: Lunes, 02 de Enero de 2006 03:57 p.m. Para: dailydave () lists immunitysec com Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :> On Monday 02 January 2006 15:20, Dave Aitel wrote:So I'm not sure why Sans Diary has people calling HD Moore irresponsible, when all he did was point out the brutally obvious: You can't write reliable network IDS signatures for these client side bugs. From the F-Secure web site:- http://www.f-secure.com/weblog/archives/archive-012006.html#00000758 "Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better." ----------- AkA Im pissed off since i didnt discover the shit ----------- The AV industry sure doesn't like it when their products are completely inneffective against the biggest exploit of the year. They like it even less when you publish a one-byte change that breaks their signatures. I can't blame them for being upset, but this public attempt at "scolding" is just pathetic. ------------- Short answer: Get a fucking engine that Works Long answer: Since you are stupid and relay on try to detect every single fucking variation of malware you should at least try to get some decent heuristics into your engine and not get fooled by the most stupid virus or even some not so easy metamorphic viruses, not to say the easiness in
which
your memory space can be written and you antivirus can just segfault or even worse detect to return 0 on your scan routine.... ------------- On a somewhat funny note, a poll was added to the ISC web site (by Swa Frantzen) that I figured the folks on here would appreciate: --- Q: Was the release of the 2nd generation WMF exploit on Dec 31st 2005 irresponsible ? 39 % =>Yes, I 'd like to see the authors brought to justice 22 % =>Yes, they made the world a worse place 28 % =>No, the bad guys had already equal ammunition 10 % =>No, I believe the ends did justify the means Total Answers: 797 --- -------------- Yeah bring them to justice, but then tose ppl should uninstall Windows
2000
and XP because god knows Microsoft didnt want to write win2k, nice kernel bug on NT4 made it ... guess who owes running xp to run those games on
them
... -------------- I contacted the ISC team about this -- introducing the exploit authors as people that need to be "brought to justice" is about one step from libel. So far, only 39% of ISC's visitors want to see my ass thrown in jail. I can't help to think that the wording of that first poll option has something to do with it. --------------- I'll just quote darkspyrit on this one: "Thinking the public exploit is
the
only one available is plain stupid". There are massive amounts of
excellent
hackers and programmers on all the world someone has to come to the bug. --------------- On the same page as the poll is a nice post from Marcus suggesting that people check out the Metasploit Framework. Go figure :-) The poll can be found online at: - http://isc.sans.org/ Next poll on the ISC web site, "What limb would you most like to have devoured by flesh-eating scarabs?"... -HD --------------- I bet half of this ppl have used your framework, is just that they are too stupid to put the name with the framework yet .... Just my 2 cents //Nahual ---------------
-------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
Current thread:
- Re: WMF and the Windows Vulnerability Drought :>, (continued)
- Re: WMF and the Windows Vulnerability Drought :> Joanna Rutkowska (Jan 02)
- Re[2]: WMF and the Windows Vulnerability Drought :> Thierry Zoller (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Joanna Rutkowska (Jan 02)
- Re[2]: WMF and the Windows Vulnerability Drought :> Thierry Zoller (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> H D Moore (Jan 02)
- RE: WMF and the Windows Vulnerability Drought :> El Nahual (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Orlando Padilla (Jan 03)
- Re: WMF and the Windows Vulnerability Drought :> Florian Weimer (Jan 03)
- RE: WMF and the Windows Vulnerability Drought :> El Nahual (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Frank Knobbe (Jan 02)
- Re: WMF and the Windows Vulnerability Drought :> Michael A Stevens (Jan 04)
- RE: WMF and the Windows Vulnerability Drought :> Dave Korn (Jan 05)
- RE: WMF and the Windows Vulnerability Drought :> nahual () g-con org (Jan 04)
- Re: WMF and the Windows Vulnerability Drought :> Joanna Rutkowska (Jan 02)