Re: WMF and the Windows Vulnerability Drought :>

[Orlando Padilla <xbud () g0thead com>]

Wow, El Nahual's post was definitely out of hand and hardly relevant.  AV 
engines have a job to do, and its mostly to contain - to a degree a new 
threat and they do a fair job of this in a (usually) decent amount of 
response time.   With few exceptions of course!

Given the fact that the exploit was already circling around in the *wrong* 
crowds should shut these people up.  It took hdm all of 30 minutes to port it 
to a module and another 40 to evade the IDS engines?   What makes him the bad 
guy?  He didn't find the bug and disclose it to the spyware industry someone 
else did, does anyone care to mention this anywhere?  

Normally I would say 'Companies' are still assuming public vulnerabilities are 
the only ones affecting our networks, but more and more frequently the Sec 
Industry does so as well.

Lets all go learn something at the next SANS conference eh?

Also, if you're going to flame do it constructively (El Nahual) pointless 
cursing and ranting at a defense is ... immature?

Orlando,

On Monday 02 January 2006 02:52 pm, El Nahual wrote:
> Answering within lines:
>
>
> -----Mensaje original-----
> De: H D Moore [mailto:hdm-daily-dave () digitaloffense net]
> Enviado el: Lunes, 02 de Enero de 2006 03:57 p.m.
> Para: dailydave () lists immunitysec com
> Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :>
>
> On Monday 02 January 2006 15:20, Dave Aitel wrote:
> > So I'm not sure why Sans Diary has people calling HD Moore
> > irresponsible, when all he did was point out the brutally obvious: You
> > can't write reliable network IDS signatures for these client side
> > bugs.
> >
> > From the F-Secure web site:
>
> - http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
>
> "Making such tools publicly available when there's no vendor patch
> available is irresponsible. Plain and simply irresponsible. Everybody
> associated in making and publishing the exploit knows this. And they
> should know better. Moore, A.S, San and FrSIRT: you should know better."
>
> -----------
> AkA Im pissed off since i didnt discover the shit
> -----------
>
> The AV industry sure doesn't like it when their products are completely
> inneffective against the biggest exploit of the year. They like it even
> less when you publish a one-byte change that breaks their signatures. I
> can't blame them for being upset, but this public attempt at "scolding"
> is just pathetic.
>
> -------------
> Short answer: Get a fucking engine that Works
> Long answer: Since you are stupid and relay on try to detect every single
> fucking variation of malware you should at least try to get some decent
> heuristics into your engine and not get fooled by the most stupid virus or
> even some not so easy metamorphic viruses, not to say the easiness in which
> your memory space can be written and you antivirus can just segfault or
> even worse detect to return 0 on your scan routine....
> -------------
>
> On a somewhat funny note, a poll was added to the ISC web site (by Swa
> Frantzen) that I figured the folks on here would appreciate:
>
> ---
> Q: Was the release of the 2nd generation WMF exploit on Dec 31st 2005
> irresponsible ?
>
> 39 % =>Yes, I 'd like to see the authors brought to justice
> 22 % =>Yes, they made the world a worse place
> 28 % =>No, the bad guys had already equal ammunition
> 10 % =>No, I believe the ends did justify the means
> Total Answers: 797
> ---
>
> --------------
> Yeah bring them to justice, but then tose ppl should uninstall Windows 2000
> and XP because god knows Microsoft didnt want to write win2k, nice kernel
> bug on NT4 made it ... guess who owes running xp to run those games on them
> ...
> --------------
>
> I contacted the ISC team about this -- introducing the exploit authors as
> people that need to be "brought to justice" is about one step from libel.
> So far, only 39% of ISC's visitors want to see my ass thrown in jail. I
> can't help to think that the wording of that first poll option has
> something to do with it.
>
> ---------------
> I'll just quote darkspyrit on this one: "Thinking the public exploit is the
> only one available is plain stupid". There are massive amounts of excellent
> hackers and programmers on all the world someone has to come to the bug.
> ---------------
>
> On the same page as the poll is a nice post from Marcus suggesting that
> people check out the Metasploit Framework. Go figure :-)
>
> The poll can be found online at:
> - http://isc.sans.org/
>
> Next poll on the ISC web site, "What limb would you most like to have
> devoured by flesh-eating scarabs?"...
>
> -HD
>
> ---------------
> I bet half of this ppl have used your framework, is just that they are too
> stupid to put the name with the framework yet ....
>
> Just my 2 cents
>
> //Nahual
> ---------------