Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: "Faas M. Mathiasen" <faas.m.mathiasen () googlemail com>
Date: Tue, 26 Feb 2008 17:19:58 +0100
Hi all, Actually my reply was - intended to be private and secondly wasn't even finished (made a whoopsie - and the mail went off) the phrase actually was intended to go like: Have you ever coded an exploit that checks whether it's in a VM and then decides to take another execution path ? I heard of multi-payload exploits capable of doing so, but I'm not sure.. Sorry if this lead to confusion. Regards, Faas On Fri, Feb 22, 2008 at 1:38 AM, Richard C Lewis <chad () mr-lew com> wrote:
Okay everyone, let's take a break from the keyboard, have an adult beverage of your choice and remind ourselves of the PURPOSE of this list... Sharing of information... The "Have you ever coded an exploit?" and "My ____ is bigger than your ____" attitude doesn't serve to IMPROVE our profession. IF someone really is clueless in their response(s), why not include some data/proof to back up the argument that they are wrong? This way everyone gets a little education in the process and at the very least gets to see a different point of view or approach to achieving their objective. My .02, Chad -----Original Message----- From: Faas M. Mathiasen [mailto:faas.m.mathiasen () googlemail com] Sent: Thursday, February 21, 2008 5:50 AM To: Peter Kosinar Cc: incidents () securityfocus com Subject: Re: Possible Mail server compromise ? Dear Peter, > Wrong Have you ever coded an exploit ? On Thu, Feb 21, 2008 at 12:07 AM, Peter Kosinar <goober () ksp sk> wrote: > > Nope, you have to distinguish between a sandbox (code is run) to an AV > > scanner scanning code in a VM, when the av scanner scans the code, the > > code is not executed and cannot decide whether it is inside a VM =) > > Wrong. This would be true only if the AV didn't have the parsing bug in > the first place. If the AV is buggy and allows some form of arbitrary code > execution, the attacker -does- have the code executed inside the VM; and > nothing stands in his way of detecting whether it's a real machine or not. > If, on the other hand, the AV was not vulnerable... then, what would be > the gain of running it inside a VM? :-) > > Peter > > -- > [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 > > >
Current thread:
- Re: Possible Mail server compromise ?, (continued)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 26)
- Re: Possible Mail server compromise ? Eduardo Tongson (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eduardo Tongson (Feb 21)