Firewall Wizards mailing list archives

Re: Spyware mumbo jumbo and bigger woes

From: "J. Oquendo" <sil () politrix org>
Date: Thu, 2 Dec 2004 14:43:28 -0500 (EST)


firewall-wizards () honor icsalabs com

Modifying or substituting hosts.txt is common to browser hijacking
spyware and spyware that install RATs. Pestpatrol identifies NetBus
and the "paradise" family among spyware that monkey with hosts files.
Coolwebsearch variants are notorious for this. Merijn's written an
extensive investigation into CWS at
http://www.spywareinfo.com/~merijn/cwschronicles.html


One of the things that surprises me since no one has done it to my
knowledge yet (YET), is created an entire replica of an operating system's
"Updates" page and used it in conjuction with the hosts files. I'm sure
many have seen the phishing scams with obfuscated URL's, but how long
until someone wisens(evils) up and creates a replica in conjuction with
hosts files and scams a couple of thousand people into sending priceless
information to some shmuck with too much time on his/her hands.

echo "10.10.1.1    www.citibank" >> /path/to/hosts

Whereafter a URL will not be obfuscated but show up as citibank.com on an
address bar. Hell they could create an entire SSL based replica and do so
and I know many would fall for it.

On the flip side of spyware/scumware/wormware/*foo*, I ran across what I
believe is an irftp based worm. While cleaning two laptops one day (one
connected to a secure VLAN the other not connected), I noticed the
connected machine flash its irftp sensor and task manager showed it was
running. Few seconds later the connected machine stopped beeping, the
disconnected one started, and it too showed irftp sessions. After checking
around the premises for infrared *anything*, I dug up all I could from
both machines. The disconneted machine had already been cleaned, and the
connected one was infected with all sorts of SDBOT worms, Spyware,
*crapware*foo*.

Something to think about if you're sitting in the park one day disconneted
from any network and someone's infected machine sends you via IRFTP some
crap.

irftp c:\infectious_garbage \\innocent_victim\somedir /h

Who knows. I'm almost positive something like this is what happened.
Combined with another Windows command I won't mention, I believe its
possible to have that machine run whatever you would want it to.


J. Oquendo / sil

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Spyware mumbo jumbo and bigger woes J. Oquendo (Dec 05)
- Re: Re: Spyware mumbo jumbo and bigger woes Dave Piscitello (Dec 07)
  - Re: Re: Spyware mumbo jumbo and bigger woes Adam Shostack (Dec 11)
    - Re: Re: Spyware mumbo jumbo and bigger woes Devdas Bhagat (Dec 12)
    - Re: Re: Spyware mumbo jumbo and bigger woes Crispin Cowan (Dec 12)
    - Re: Re: Spyware mumbo jumbo and bigger woes Dave Piscitello (Dec 13)