Dailydave mailing list archives
Re: We got owned by the Chinese and didn't even get a "lessons learned"
From: Nicolas RUFF <nruff () security-labs org>
Date: Thu, 25 May 2006 11:38:26 +0200
Oh, come on! And what if the malware exploits some kernel bug (we all have seen several such bugs last year, haven't we)? Obviously running as privilege user will not help in this case (although it's a very good idea indeed).
Of course there is always the possibility of a targeted, 0day, kernel attack through email (BTW, I'm eager to see the first one). My point was that attackers: - were able to reverse MSO.DLL (wow :) - were able to find a reliably exploitable flaw in there - made a "stealth" shellcode, silently repairing the Word document - started a targeted attack, using legible document names and email addresses ... and they used "c:\~.exe" instead of "%TEMP%\~.exe" at the end. Chinese stuff breaks too easily :) As some colleague pointed out, the best HIPS ever should restrict program execution to "%ProgramFiles%" and "%SystemRoot%" (excluding "%temp%" and "%tmp%" maybe). Combined with a low privilege user, I don't think any existing spyware/malware/otherware would execute flawlessly with such restrictions. Regards, - Nicolas RUFF
Current thread:
- We got owned by the Chinese and didn't even get a "lessons learned" Dave Aitel (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" val smith (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Halvar Flake (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Etaoin Shrdlu (May 24)
- air gap vs. covert channels (was: We got owned by the Chinese...) Joanna Rutkowska (May 24)