Re: Deloder worm has resurfaced. Watch your privacy!

From: John (Yochanon@yahoo.com)
Date: 03/29/03

  • Next message: Sher-Lock: "Sher-Lock - Total Internet Security Process - Stop On-line Identity Theft!" 
    From: John <Yochanon@yahoo.com>
Date: Sat, 29 Mar 2003 04:00:33 GMT

    Nick FitzGerald, while drooling on their self, scribbled:

    > "Kyle Lai" <kyle@kylelai.com> wrote:
    >
    >> DeLoder worm has resurfaced during the past several days. ...
    >
    > "resurfaced" as in "we are seeing a rash of new infections of the
    > original" (which is what "resurfaced actually means) or as in "there
    > is a new variant of it which is getting some traction".
    >
    >> ... Here are
    >> some info missed by many anti-virus analyses...
    >
    > Not so much "missed by their analsyses" as "won't be detected by virus
    > scanners".
    >
    > Now, you're a clever chap Kyle, so can you suggest any reason why an
    > antivirus developer might chose to _not_ detect a legitimeta remote
    > control application such as VNC??
    >
    >> Deloder worm leaves a VNC (free remote control software) service
    >> running on the infected systems, and it also set a VNC password, which
    >> eventually allowed anyone with malicious intent (hackers) to get in
    >> via VNC. There are tens of thousands of Windows 2000 & XP systems out
    >> there that are infected with Deloder (according to CERT, possibly
    >> 140,000 on 3/17/2003).
    >
    > Could you provide a reference for that CERT claim of 140,000 Deloder
    > infections? I recall CERT (and saw it in other reports whose sources I
    > cannot divulge) saying on 11 March that a 140,000+ GT-bot network had
    > been found:
    >
    > http://www.cert.org/advisories/CA-2003-08.html
    >
    >> The password that was set by Deloder was cracked by KLC Consulting
    >> Security Team, ...
    >
    > ...using a simple brute-force VNC password cracker...
    >
    >> ... and the information is available in the article below.
    >> With this password in hand, anyone can detect (not too difficult) and
    >> connect to infected systems and watch the computer screen, take over
    >> the keyboard and mouse control, or just spy on every single keystroke
    >> and mouse move by the infected users. Watch out, and protect your
    >> privacy!
    >
    > And without your article, very few people would have taken the time or
    > effort to crack the password. So, the upshot of your "work" is that
    > many more people can now easily take advantage of the existence of what
    > you claim (CERT claims) is a 140,000 strong network of machines
    > unknowingly running VNC with this configuration.
    >
    > Why did you not include download and operating instructions for
    > obtaining and using a port scanner? Then even those readers who may be
    > too dense to know how to do that can join the ranks of the "hacker
    > wannabes" your analysis has just assisted.
    >
    > I am interested in how you justify your membership of the ISSA in light
    > of its code of ethics:
    >
    > http://www.issa.org/codeofethics.html
    >
    > and your actions in publicly releasing the VNC password used by Deloder.
    > I see your actions as contrary to all but the last two of the items in
    > that code, specifically:
    >
    > * Perform all professional activities and duties in accordance with
    > the law and the highest ethical principles;
    >
    > As no formal list of "the highest ethical principles" is given, my
    > highest ethical principles must be considered as suitable as the basis
    > for comparison. As I would not have released that information because
    > doing so would violate my ethical principles, your releasing the
    > information puts you in beach of that point of the ISSA's code.
    >
    > * Promote good information security concepts and practices;
    >
    > As your actions are in breah of "good security concepts and practices"
    > (by being in breach of other items in the ISSA's ethical code) you are,
    > obviously, also in breach of this one because acting in the role as an
    > information security professional and publicly promoting yourself
    > through your unethical acts cannot be seen as promoting good practice.
    >
    > * Maintain the confidentiality of all proprietary or otherwise
    > sensitive information encountered in the course of professional
    > activities;
    >
    > The password to an illicitly installed system backdoor, present by your
    > own estimates or those of another professional or body whose opinion you
    > respect on 140,000+ machines on the public Internet is senstive
    > information. You clearly became aware of this in the course of your
    > professional activities.
    >
    > * Discharge professional responsibilities with diligence and
    > honesty;
    >
    > You seem to have posted this message, and put your analysis on your web
    > site with diligence and honesty, but as doing so _with the report of the
    > otherwise secret VNC password_ constituting a breach of ethics, your
    > preofessional responsibilities have not been discharged diligently (you
    > missed that your attempts at self-aggrandizement through publishing more
    > detail than anyone else was unethical).
    >
    > * Refrain from any activities which might constitute a conflict of
    > interest or otherwise damage the reputation of employers, the
    > information security profession, or the Association;
    >
    > Need I spell out why you are in berach of this one?
    >
    > Of course, probably other professional organizations with similar ethical
    > codes to which you are affiliated -- I didn't bother to check.
    >
    > I wonder if you have enough conviction to report yourself to the ISSA
    > (and any other organizations to which you affiliate yourself whose ethical
    > codes you will also likely have broken) and resign your membership?
    >
    > Oh, and you'd better report yourself to (ISC)2 for an ethics review
    > panel hearing to consider revoking your CISSP:
    >
    > https://www.isc2.org/cgi/content.cgi?category=12
    >
    >> The article below also has methods of detection, fixes, and
    >> recommendation for protections against future worm/Trojan attacks.
    >
    > It also recklessly exposes information better not made public.
    >
    > There are good reasons why measured analyses of Deloder do not include
    > the password information. Further, there are compelling ethical
    > reasons for them to not include that information. The rest of your
    > analysis is a good and useful contribution, but it and your ethical
    > reputation are spolied by a couple of sentences.
    >
    >
    > --
    > Nick FitzGerald

      What a crock! S/he put it out, because if left up to "them" (those who are
    supposed to fix the 'problem'), they'd never get off their asses until 6 months
    from now! As a matter of fact, M$ has said themselves they won't be 'fixing'
    some exploit/bug/security flaw in NT4, because it's just too much of a pain in
    the *** (essentially).
      These things need to be exposed, so that the company(s) who make these
    apps/software, quit hiring sloppy/lazy/scriptkiddies, and get back to
    *QUALITY*, not 'how fast can you guys turn this out so we can sell it?'. Funny
    how the opensource community gets right on these kinds of things almost
    instantly, meanwhile, M$ and its cronie companies sit on it to 'see if it's a
    bad as it might be'. Pretty pathetic.

      John 

    -- 
My penguin eats butterfly's.
  • Next message: Sher-Lock: "Sher-Lock - Total Internet Security Process - Stop On-line Identity Theft!"