Re: netbios vuln

[H C <keydet89 () yahoo com>]

Since you didn't sign the message, I don't know who to
address it to...but here goes...

Don't get hung up over the reference to NetBIOS. 
Articles in the media aren't generally written by
folks who know or are able to accurately describe what
really happened.  This mysterious "NetBIOS
vulnerability" could easily be something as simple as
poorly protected file sharing...ie, no passwords. 
Just b/c the "news" article appears in 2002, it
doesn't mean that it's a "new" vulnerability.

If you really wanted to know what vulnerability is,
try tracking down a copy of the "FB3" code...


--- ohnonono () hushmail com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> I posted this question to the list 3 weeks ago but
> the moderator failed to act on my post and thus it
> was returned to me.  I have been a ridicilious
> amount of netbios traffic at my main firewall.  This
> morning I read this article.  It seems to hint at a
> way to run arbitarty code via netbios, now my
> question is does anyone know anything about this; is
> anyone seeing the netbios traffic and finally is it
> just the author of the article (who is not a
> security writer like a brian mcwillaims or a thomas
> greene) didnt really understand what was going on? 
> This was from the securitynewsportal site.
>
> Thanks
>
> A teenage hacker attacked an online chatroom run by
> The Edge radio station and then turned his attention
> to TV3's website. The 15-year-old, who goes by the
> online name of "deejay-fuzion" and attends Roturua
> Lakes High School, rang the Herald to brag about his
> exploits. Asked why he launched a "DDOS"
> (distributed denial of service) attack against the
> chatroom on Monday night, he said: "Because the
> administrator was ... just being a smart arse."
> "Dj-fu" signalled his "bots" to flood the chatroom
> computer with spurious internet traffic, causing the
> server to slow down and eventually stop.   During
> the process he noticed other servers belonging to
> TV3 were in the same proximity so he tried his
> attack on TV3's website - "just because I could".
> (Radioworks, which owns the Edge, and TV3 have the
> parent company CanWest).   TV3 communications
> manager Roger Beaumont confirmed The Edge chat
> server had a DDOS attack and was offline for a short
> period. But he said it was coincidence that 
>  TV3's website was offline on Tuesday for routine
> maintenance. Will Steele, a friend of the
> 15-year-old who was online at the time, said the TV3
> site was unavailable during the attack and the
> "routine maintenance" message appeared on the site
> after the attack ended at 9.45pm. That was when the
> hacker was taken offline by his internet provider,
> Quicksilver.
>
> Its network manager Mark Frater said two individuals
> were disconnected on Monday night after the internet
> provider received a complaint from a server
> administrator. When contacted by Quicksilver, both
> denied knowledge of an attack and had their internet
> accounts reinstated. Quicksilver manager Trevor
> Isted said there was no proof to link the pair to
> the attack. Usage logs were being investigated, and
> if evidence was found, the pair would be banned from
> access for breaching the internet provider's
> acceptable use policy. The teenager claims to have
> written a trojan program called "FB3" with a friend
> known online as "lynx". The program exploits a
> "Netbios" vulnerability in Windows PCs related to
> file and print sharing, to plant itself on
> unsuspecting users' computers. The infected
> computers (bots - short for robots) signal their
> presence to a computer in the United States which
> the teenager uses to send out the instructions to
> attack. In this case the method of attack was a "SYN
>   flood" - an efficient process which fakes the
> initial handshake of an internet connection with
> false addresses which the target Machine is unable
> to answer.  It keeps retrying to accept them, and
> with enough of these happening, a server can become
> overwhelmed.   New anti-hacking provisions -
> including clauses covering DDOS attacks - in the
> Crimes Amendment Bill are waiting to be introduced
> to Parliament.    But the hacker would be immune
> from prosecution because he is only 15
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.2 (Java)
> Note: This signature can be verified at
> https://www.hushtools.com/verify
wl0EARECAB0FAj3wuNMWHG9obm9ub25vQGh1c2htYWlsLmNvbQAKCRAuXN+1lPsfqSgh
>
AJ9KSph4ZPYS+x9o8iWlsdJy11TBcwCgmGYUvx4bjHy7/bOxVWtjDrZ/54o=
> =JfiS
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to
> get
> FREE encrypted email: https://www.hushmail.com/?l=2 
>
> Big $$$ to be made with the HushMail Affiliate
> Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com