Full Disclosure mailing list archives

Re: IMLogic telling porkies about Yahoo

From: "Mary Landesman" <mlande () bellsouth net>
Date: Fri, 14 Oct 2005 19:51:32 -0400

Yahoo IM has yet to have an IM worm on its network

There has been no Yahoo IM worm, period.


Both quotes from your blog post. And I answered both your own statements,
YIM has had worms and there have been Yahoo IM worms, period.

But since the vast majority of IM worms don't send binaries, I'd be curious
to know exactly what role your honeypots play. Are these Yahoo's honeypots,
sniffing traffic looking for suspicious chat messages - or are they confined
to your own chat sessions with friends? Also, doesn't Yahoo IM first try
server brokering but resort to server proxy if the first attempt fails? If
so, how can you be sure how much traffic your honeypot is even seeing,
assuming it's a Yahoo honeypot and not a homegrown sniff your own.

-- Mary

----- Original Message ----- 
From: "n3td3v" <xploitable () gmail com>
To: <full-disclosure () lists grok org uk>
Sent: Friday, October 14, 2005 6:58 PM
Subject: Re: [Full-disclosure] IMLogic telling porkies about Yahoo


Theres a difference from capability to attack on Yahoo and attacks
actually happening. I have yet to see any active worms on Yahoo IM
network. Most of my honeypots are all bursting with phishing attempts
trying to get the user account, falling short of the worm claims.

You're aware of those worms by seeing them on your honeypots or have
you simply compiled that list from searching the internet?

On 10/14/05, Mary Landesman <mlande () bellsouth net> wrote:

I can't speak to the IMLogic figures, but these are a few Yahoo IM worms

of

which I am aware.

Guap.a
Gunsan
Lile.a
Oscabot.k
StarGames
Velkbot.a
Yimp.a

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

IMLogic telling porkies about Yahoo n3td3v (Oct 14)
- Re: IMLogic telling porkies about Yahoo James Tucker (Oct 14)
  - Re: IMLogic telling porkies about Yahoo Native.Code (Oct 14)
  - Re: IMLogic telling porkies about Yahoo n3td3v (Oct 14)
    - Re: IMLogic telling porkies about Yahoo Mary Landesman (Oct 14)
    - Re: IMLogic telling porkies about Yahoo n3td3v (Oct 14)
    - Re: IMLogic telling porkies about Yahoo Mary Landesman (Oct 14)
  - Re: IMLogic telling porkies about Yahoo n3td3v (Oct 14)
- Re: IMLogic telling porkies about Yahoo eric williams (Oct 14)
- <Possible follow-ups>
- Re: IMLogic telling porkies about Yahoo Fergie (Paul Ferguson) (Oct 14)