Updated: 24.11.2002; 14:39:18 Uhr.
disLEXia
lies, laws, legal research, crime and the internet
        

Monday, January 28, 2002

Turning Macs on Thievery

In a story that is probably unique, R.D. Bridges recovered his sister's stolen iMac using Netopia's Timbuktu Pro, a program that allows computers to be remotely controlled and is widely used by computer-help technicians. Bridges, who lives in Clear Lake, a suburb of Houston, had installed the software to help his sister, who lives across town, when she ran into problems. [...] http://www.wired.com/news/mac/0,2125,50025,00.html Tracing a Stolen iMac Using Timbuktu http://www.macscripter.net/unscripted.html [Monty Solomon via risks-digest Volume 21, Issue 90]
0:00 # G!

Virus writers aren't playing fair

Today I got a weird e-mail with some inline uuencoded data that had a filename of www dot myparty dot yahoo dot com. My Mcafee didn't detect it as a virus, but it uudecoded into a DOS executable so I was suspicious. I sent it off to Mcafee, and they sent me back an EXTRA.DAT for it. Then came the real trouble.

I use a milter I wrote (http://www.nmt.edu/~wcolburn/antivirus/) to detect viruses. Up until today, it had used error codes to know if a file needed scanning. The mail file would be "ripmime"ed, and if the error code was 0 (no error) then it meant that some files were successfully extracted. If files were extracted then they needed to be scanned.

This new virus, W32/Myparty (ED), defeated me on several levels. The virus wasn't MIME encoded, so ripmime didn't find it. I added a blind uudecode to my milter, but it was defeated as well. The uuencoded virus is "corrupt" (but it creates some output which runs), so the return code from the uudecode command indicates (is indistinguishable from) nothing decoded.

In the end, I decided that the best thing to do is to blindly uudecode AND ripmime AND scan every single message. As you can imagine, this is a terrible solution. The core of the problem stems from the fact that MS products seem to "be generous in what they accept" (the way all good software should be written?), and so they don't care that the mail wasn't MIME encoded, nor that it contained a corrupt file.

The risk is that systems are so complex it is getting increasingly hard to protect them. That virus shouldn't propagate because it isn't MIME encoded, but it does. That virus shouldn't propagate because it uses a corrupt file transfer, but it does. If both things were done on purpose, then the writer was clever. I can image that more software writers than myself considered "garbage" or "corrupt" data as "safe". ["Schlake ( William Colburn )" via risks-digest Volume 21, Issue 91]
0:00 # G!


Maximillian Dornseif, 2002.
 
January 2002
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Dec   Feb
Search
about this disLEXia thing
presentations
scientific publications
logner Texts
my old homepage
categories in this weblog
Subsections of this WebLog
bloging by me
german language content
hacks
computer investigations
computer incidents
going to court
events and conferences
statistics and the like
privacy
main page

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.