Re: Viral infection via Serial Cable

[James Tucker <jftucker () gmail com>]

If you want to check to see if the system has the MS tcp/ip stack
running on the port, boot the machine and look in the network
connections folder. You will see an "incoming connections" connection
listed. If this is present (i doubt it, but anything is possible) then
turn on IPSec for the connection and ban all unused ports and
protocols. If you don't know what ports the (CAD/CAM) application is
using, try netstat. If you don't see any "incoming connections" and
are _still_ worried you can try ipconfig /all. Still worried? Connect
to the RS232 using hyperterm, see what the response is like.

On Mon, 30 Aug 2004 20:17:38 -0500 (CDT), J.A. Terranson <measl () mfn org> wrote:
> You are confusing the different layers.  There is no difference (to a
> virus) between a fiber, a cat-5, a serial cable, etc.  These are all
> layer-1 choices.

Um, are we forgetting that the box on the end is Windows 2000, and
what do we know about Windows 2000 and IP stacks on RS232 ports? (they
don't natively exist by default)
:)

> Moving up the stack, the answer to your question is a qualified "yes": if
> the serial port is configured as a data transport which the virus can see,
> then propagation across it is possible.  And, for the record, there are a
> variety of serial-port based LANs.

Sure, but you can only move up a stack which exists.

Given that there should be no applications on the other end of the
RS232 apart from the CAD/CAM control program (one would hope, this
would be considered 'normal'), the only hackable device should be that
program. It's not unlikely that the program in question could be set
to perform destructive actions; allot of industrial software of this
type is not well written and buffers certainly don't always get
checked. This would require a custom hack though, I don't know of any
viri which carry protocol definitions for RS232 CAD/CAM programs.

On Tue, 31 Aug 2004 15:19:29 +1200, Stuart Fox (DSL AK)
<stuartf () datacom co nz> wrote:
> If the worm simply expects to see "a network transport" then the
answer would be yes.

It's only yes if both ends talk the same language, the CAD/CAM unit
should not be running a "network" protocol unless the developers 1)
did something really stupid, 2) decided they didn't care about high
levels of overhead.



There are many people who believe also that mission critical systems
which do not rely on the Internet should always be disconnected from
it. I would certainly agree in this case; if you are still worried
about it.
 

>   "...justice is a duty towards those whom you love and those whom you do
>   not.  And people's rights will not be harmed if the opponent speaks out
>   about them."      Osama Bin Laden
Define justice and duty in a western manner this sounds OK; but then
thats not what he means is it?

>   "There aught to be limits to freedom!"    George Bush
Not to defend the guy, he makes allot of stupid comments and
decisions, however he is talking about laws and he is not wrong, there
are many people in the world who need certain freedoms removed. How
about they learn to remove the freedom of gun ownership.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html