RE: [Full-Disclosure] Backdoor not recognized by Kaspersky

From: Larry Seltzer (larry_at_larryseltzer.com)
Date: 03/04/04

  • Next message: Lachniet, Mark: "[Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"
    To: "'Thor Larholm'" <thor@pivx.com>, "'Mike Barushok'" <mikehome@kcisp.net>, <full-disclosure@lists.netsys.com>
    Date: Wed, 3 Mar 2004 19:01:30 -0500
    
    

    >>if you can read the users login credentials to his corporate mailserver you are far
    better off.

    Rather casually put. How would you do this? I've heard how Swen asks the user for their
    credentials, but if you know a general crack for obtaining them I'd say that's news.

    Larry Seltzer
    eWEEK.com Security Center Editor
    http://security.eweek.com/
    larryseltzer@ziffdavis.com

    -----Original Message-----
    From: Thor Larholm [mailto:thor@pivx.com]
    Sent: Wednesday, March 03, 2004 6:47 PM
    To: Larry Seltzer; Mike Barushok; full-disclosure@lists.netsys.com
    Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky

    SMTP authentication will not do much to stop viruses from spreading. Some viruses are
    already moving away from just implementing their own SMTP server to reusing whatever
    SMTP credentials you have on your machine. Having your own SMTP engine is a nice
    fallback solution just in case, but if you can read the users login credentials to his
    corporate mailserver you are far better off.

    Imagine us all implementing SPF, Caller ID or Domain Keys - what would happen? We would
    all have to use a mail server that has implemented one of these 'solutions'. Naturally,
    virus writers would then just reuse your SMTP login credentials to spew their virus
    through that same MTA.

    Another quick workaround to SPF, Caller ID and Domain Keys has alredy been implemented
    by spammers for a year or so. The only premise behind S/C/D is that you are trusted if
    you have access to a DNS server. Spammers are using compromised machines not only as
    SMTP servers, but also web servers and DNS servers. The end result is that spammers have
    already completely circumvented all three solutions way before they were ever
    implemented.

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    Phone: +1 (949) 231-8496
    PGP: 0x5A276569
    6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

    PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix
    <http://www.qwik-fix.net>

    -----Original Message-----
    From: Larry Seltzer [mailto:larry@larryseltzer.com]
    Sent: Wednesday, March 03, 2004 1:38 PM
    To: 'Mike Barushok'; full-disclosure@lists.netsys.com
    Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky

    >>I feel the need to address the problem from an ISP perspective, since
    >>the corporate
    and government and other institutional persective seems to give different answers. And
    because the ISP end user problem is still the majority of the reservoir for viruses (and
    spam proxy/relay/trojans).

    I really feel for you guys. As I've argued in another thread, I think SMTP
    authentication will likely cut this stuff down to a trickle compared to the current
    volume. As an ISP, how big a problem would you have with that. An even better question:
    Would you have a problem implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It
    gets to the same issue of changing practices for your users: at some point you have to
    either bounce or segregate mail that doesn't authenticate.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Lachniet, Mark: "[Full-Disclosure] E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)"