Full Disclosure mailing list archives
RE: Re: Administrivia: Testing Emergency Virus Filter..
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 20 Aug 2003 16:41:58 -0700
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Schmehl, Paul L Sent: Wednesday, August 20, 2003 3:03 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Administrivia: Testing Emergency Virus Filter..-----Original Message----- From: martin f krafft [mailto:madduck () madduck net] Sent: Wednesday, August 20, 2003 1:35 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Administrivia: Testing Emergency Virus Filter.. Only partially right, the other part is bugs in software and automation techniques that make viruses much easier and effective. Moreover, it's operating system design. If I caught a virus on my UNIX system, I might be sending it on if the virus is smart enough to figure out a way to get into control and to execute sendmail. However, it won't be able to infest the system and other local users.Why would it have to execute sendmail? All it has to do is run /bin/mail(x) or use its own routines to telnet to port 25 and "talk smtp" directly.
This bug has its' own SMTP server (to term it that way, as AV companies do). You connect out to remote mail server and send directly. Writing such code is extremely trivial. It could very easily have been written for Linux. It is just that Linux is not used by the vast hordes of non-IT people. We can sit around and scorn them for their lack of knowledge, but that is an oddity to this profession. I don't know, maybe mechanics do this. I doubt dentists do this, or doctors, or lawyers... Or whatever else. I don't scorn people because they don't know anything about the SMTP protocol or how to write a basic SMTP client. I don't know how that guy thought that the smtp client portion of this code was an OS issue... How that is OS design. I don't know why such people would be offering their opinion on this. Maybe they stayed at the Holiday Inn or something. Anyway, not trying to be rude to that guy here, just... This really stood out.
About the only OS I know of that doesn't have a telnet client and mail or mailx by default is Gentoo. No need to launch any daemons on your box. Most "modern" worms don't bother with processes on the box anyway. They create their own, download them or bring them with them.
Actually, quite a few don't, some still rely on piggy backing Outlook. But, yes, this trend should be dissapearing as people upgrade so their Outlook client will no longer be able to be remote controlled by another application. (Current versions not only block attachments but also the ability for applications to access the api framework, itself). Probably, grabbing email addresses from people's "inbox" or "address book" will still be popular, but this is really not OS specific, nor application specific. While Outlook will prevent this, an app can read the binary pst files and grep this info. Unless mail clients start encrypting their data, this will likely remain the best source for new email addresses. Even if email clients do start encrypting this information, it will still be easy to bypass because it is local. There is always a crack for local work. But, such a thing may deter some virus writers.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Administrivia: Testing Emergency Virus Filter.., (continued)
- RE: Administrivia: Testing Emergency Virus Filter.. Dan Stromberg (Aug 21)
- RE: Administrivia: Testing Emergency Virus Filter.. Paul Szabo (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Schmehl, Paul L (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Schmehl, Paul L (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Gary E. Miller (Aug 20)
- Re: Administrivia: Testing Emergency Virus Filter.. Bryan Allen (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Gary E. Miller (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Schmehl, Paul L (Aug 20)
- Re: Administrivia: Testing Emergency Virus Filter.. Valdis . Kletnieks (Aug 20)
- RE: Administrivia: Testing Emergency Virus Filter.. Gary E. Miller (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Schmehl, Paul L (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Drew Copley (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Gary E. Miller (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Paul Schmehl (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Gary E. Miller (Aug 20)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Drew Copley (Aug 21)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Drew Copley (Aug 20)
- Re: Re: Administrivia: Testing Emergency Virus Filter.. Thor Larholm (Aug 21)
- RE: Re: Administrivia: Testing Emergency Virus Filter.. Drew Copley (Aug 21)