Firewall Wizards mailing list archives
Re: Spyware mumbo jumbo and bigger woes
From: "J. Oquendo" <sil () politrix org>
Date: Thu, 2 Dec 2004 14:43:28 -0500 (EST)
firewall-wizards () honor icsalabs com
Modifying or substituting hosts.txt is common to browser hijacking spyware and spyware that install RATs. Pestpatrol identifies NetBus and the "paradise" family among spyware that monkey with hosts files. Coolwebsearch variants are notorious for this. Merijn's written an extensive investigation into CWS at http://www.spywareinfo.com/~merijn/cwschronicles.html
One of the things that surprises me since no one has done it to my knowledge yet (YET), is created an entire replica of an operating system's "Updates" page and used it in conjuction with the hosts files. I'm sure many have seen the phishing scams with obfuscated URL's, but how long until someone wisens(evils) up and creates a replica in conjuction with hosts files and scams a couple of thousand people into sending priceless information to some shmuck with too much time on his/her hands. echo "10.10.1.1 www.citibank" >> /path/to/hosts Whereafter a URL will not be obfuscated but show up as citibank.com on an address bar. Hell they could create an entire SSL based replica and do so and I know many would fall for it. On the flip side of spyware/scumware/wormware/*foo*, I ran across what I believe is an irftp based worm. While cleaning two laptops one day (one connected to a secure VLAN the other not connected), I noticed the connected machine flash its irftp sensor and task manager showed it was running. Few seconds later the connected machine stopped beeping, the disconnected one started, and it too showed irftp sessions. After checking around the premises for infrared *anything*, I dug up all I could from both machines. The disconneted machine had already been cleaned, and the connected one was infected with all sorts of SDBOT worms, Spyware, *crapware*foo*. Something to think about if you're sitting in the park one day disconneted from any network and someone's infected machine sends you via IRFTP some crap. irftp c:\infectious_garbage \\innocent_victim\somedir /h Who knows. I'm almost positive something like this is what happened. Combined with another Windows command I won't mention, I believe its possible to have that machine run whatever you would want it to. J. Oquendo / sil =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Spyware mumbo jumbo and bigger woes J. Oquendo (Dec 05)
- Re: Re: Spyware mumbo jumbo and bigger woes Dave Piscitello (Dec 07)
- Re: Re: Spyware mumbo jumbo and bigger woes Adam Shostack (Dec 11)
- Re: Re: Spyware mumbo jumbo and bigger woes Devdas Bhagat (Dec 12)
- Re: Re: Spyware mumbo jumbo and bigger woes Crispin Cowan (Dec 12)
- Re: Re: Spyware mumbo jumbo and bigger woes Dave Piscitello (Dec 13)
- Re: Re: Spyware mumbo jumbo and bigger woes Adam Shostack (Dec 11)
- Re: Re: Spyware mumbo jumbo and bigger woes Dave Piscitello (Dec 07)