[fw-wiz] Re: Spyware mumbo jumbo and bigger woes

From: J. Oquendo (sil_at_politrix.org)
Date: 12/02/04

  • Next message: Jim Seymour: "Re: [fw-wiz] smtp proxy on firewall" 
    To: firewall-wizards@honor.icsalabs.com
Date: Thu, 2 Dec 2004 14:43:28 -0500 (EST)

    firewall-wizards@honor.icsalabs.com

    > Modifying or substituting hosts.txt is common to browser hijacking
    > spyware and spyware that install RATs. Pestpatrol identifies NetBus
    > and the "paradise" family among spyware that monkey with hosts files.
    > Coolwebsearch variants are notorious for this. Merijn's written an
    > extensive investigation into CWS at
    > http://www.spywareinfo.com/~merijn/cwschronicles.html

    One of the things that surprises me since no one has done it to my
    knowledge yet (YET), is created an entire replica of an operating system's
    "Updates" page and used it in conjuction with the hosts files. I'm sure
    many have seen the phishing scams with obfuscated URL's, but how long
    until someone wisens(evils) up and creates a replica in conjuction with
    hosts files and scams a couple of thousand people into sending priceless
    information to some shmuck with too much time on his/her hands.

    echo "10.10.1.1 www.citibank" >> /path/to/hosts

    Whereafter a URL will not be obfuscated but show up as citibank.com on an
    address bar. Hell they could create an entire SSL based replica and do so
    and I know many would fall for it.

    On the flip side of spyware/scumware/wormware/*foo*, I ran across what I
    believe is an irftp based worm. While cleaning two laptops one day (one
    connected to a secure VLAN the other not connected), I noticed the
    connected machine flash its irftp sensor and task manager showed it was
    running. Few seconds later the connected machine stopped beeping, the
    disconnected one started, and it too showed irftp sessions. After checking
    around the premises for infrared *anything*, I dug up all I could from
    both machines. The disconneted machine had already been cleaned, and the
    connected one was infected with all sorts of SDBOT worms, Spyware,
    *crapware*foo*.

    Something to think about if you're sitting in the park one day disconneted
    from any network and someone's infected machine sends you via IRFTP some
    crap.

    irftp c:\infectious_garbage \\innocent_victim\somedir /h

    Who knows. I'm almost positive something like this is what happened.
    Combined with another Windows command I won't mention, I believe its
    possible to have that machine run whatever you would want it to.

    J. Oquendo / sil

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    J. Oquendo
    GPG Key ID 0x51F9D78D
    Fingerprint 2A48 BA18 1851 4C99

    CA22 0619 DB63 F2F7 51F9 D78D
    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

    sil @ politrix . org http://www.politrix.org
    sil @ infiltrated . net http://www.infiltrated.net

    "How can we account for our present situation unless we
    believe that men high in this government are concerting
    to deliver us to disaster?" Joseph McCarthy "America's
    Retreat from Victory"
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Jim Seymour: "Re: [fw-wiz] smtp proxy on firewall"