Caution SONY Music CDs have trojan Malware

"Roger Wilco" <ye****@yourser vice.invalid> wrote in message
news:11******** *****@corp.supe rnews.com...

I'll agree to disagree and will not discuss it further since no-one

else in these groups seem interested.

But in case they are, here is some more reading material:

http://staff.washington.edu/dittrich...s/rootkits.faq
http://project.honeynet.org/papers/enemy3/
http://www.cs.wright.edu/people/facu...on/obrien.html
http://www.linuxgazette.com/issue36/kuethe.html

kurt wismer wrote:

...says the guy who plays with the trolls... my killfile is now several
orders of magnitude larger than it was before thanks to you...

Awe.. Sorry. :) I'm not feeding them right now. The SATA controller
discussion was just too amusing for me. It's pointless.

Besides, The new BugHunter build is taking alot of time. Tons of new
samples, new layout, full recursive scanning. Bye bye lame browser
hijackers. hehehe.

If he feels a
rootkit is something that "hides" itself, leave him be. Ignorance
knows no bounds anyway, you should know this.

even when the principals in a discussion make no headway, the gallery
can still be better off for knowing more than it did before...

Yes... I think we've both done enough attempted education of the
gallery. If you can't educate the trolls, what makes you think your
going to do any education with this rootkit nonsense? Just face the
fact (sad as it is) that various individuals/companies knowingly
improperly used the term, and there's no going back now.

The original author who made the discovery shouldn't have been so quick
to call it a rootkit. He has so much coding skill, yet... so little
brains with naming things. :)

It's a lost cause kurt, people will refer to this POS software now as
rootkits, just as many are now claiming all sorts of things fall under
the umbrella "Malware". Such a vague description.

Regards,
Dustin Cook
http://bughunter.atspace.org

Roger Wilco wrote:

Speaking of ignorance... yet you fail to realize that my view isn't at
all what you suggest it is.

Kurt is of the opinion that the word "root" in rootkit is there because
rootkits are designed to "get root" either on the current machine or on
subsequent machines. On the other hand my opinion is that the word is
there because that privilege level is required prior to attempting to
implement installation of the kit.

We both agree (I think) that the current usage (with regard to this
thread) is somewhat inappropriate because "stealthwar e" is only a part
of what a rootkit is. Kurt is a tenacious debater and very difficult to
persuade, and I will not continue to try.

Agreed. For different reasons. :) In all fairness Roger, I wasn't
claiming you were ignorant per say. Just thought I'd let you know. :)

We'll just have to agree to disagree with regard to this rootkit
nonsense. The end users don't even understand what you guys have been
going back and forth over anyhow. :)

even when the principals in a discussion make no headway, the gallery
can still be better off for knowing more than it did before...

Agreed!

Assuming the gallery hasn't had an information overload. :)

Regards,
Dustin Cook
http://bughunter.atspace.org

Dustin Cook wrote:

kurt wismer wrote:

i dislike fence-sitting as well...

Do you hear it? It's the sound of a dead horse. :) This is truely a
lost cause Kurt. It's akin to playing with the trolls. If he feels a
rootkit is something that "hides" itself, leave him be. Ignorance
knows no bounds anyway, you should know this.

Regards,
Dustin Cook
http://bughunter.atspace.org

Ignorance knows no bounds ... anyway, you should know this.

=============== =============== =====

Funny thing about that expression:

Ignorance knows no bounds

... it should be:

Ignorance only knows bounds.

I guess that I didn't know this. Does it mean that I am ignorant?

--
Ignorance is your prerogative

Dustin Cook wrote:

kurt wismer wrote:

...says the guy who plays with the trolls... my killfile is now
several orders of magnitude larger than it was before thanks to
you...

Awe.. Sorry. :) I'm not feeding them right now.

...because you got SPNAKED. Again, and again!

Roger Wilco wrote:
[snip]

From: http://www.sans.org/y2k/TFN_toolkit.htm

"The Attack

The hackers are using buffer overflow exploits on rpc.ttdbserverd ,
rpc.cmsd, sadmind, rpc.statd to gain root access to a machine. In some
cases, they use a variant of the /tmp/bob attack which is associated
with
the ffcore buffer overflow exploit. In any event, if they are successful
in gaining access, they ftp the toolkit into a directory on the machine
..."

Here you see that they mention the root access happening prior to the
FTPing of the "kit" - and also they mention earlier " I'd classify this
attack as a simple rootkit style attack with a DoS payload." so the
payload here isn't furthur rooting of more machines.
keep reading... it contains a sniffer (for getting passwords to other
systems) and multiple backdoors to allow the attacker to (re)gain root
access through other avenues after the rootkit is installed...

[snip]

i'm sorry but your analysis has missed the mark... the context is
clearly about penetration of the machine, not persistence on the
machine... his use of rootkit in that context implies that rootkits
are
generally used in the penetration phase (although not in his specific
case)...

Not really, the context (concerning his use of the word) is a
disparaging remark

apparently now we're going to have to have a debate about the meaning of
the word "context".. . you've clearly captured the *connotation*, but the
*context* (the wider frame of reference in which the term was used, that
clarifies and disambiguates the author's meaning) has to do with
penetration...

he *was* talking about penetration, he did imply that most people would
have used a rootkit to achieve what the person in his example did
(penetrated his system)...

[snip]

another cert document from 1997
(http://www.cert.org/research/JHThesis/Chapter8.html) also makes
reference to the toolkit classification but breaks it into 2, tools
designed to exploit root access

Again, to me "exploit root access" in this context means exploiting
(leveragin g) the fact of root access.

that's all well and nice... but what it means to you is irrelevant as
they specify an example of what they meant and the example was the
toolkit known as "rootkit", whose properties and functions are well
documented. ..

A "rootkit" and a program calling itself "rootkit" are not the same
thing. The program calling itself rootkit does also happen to be one,
but that program and "all" of its functions are not what defines a
rootkit.

Again in this document
https://tms.symantec.com/members/Ana...HV4Rootkit.pdf
the access (via exploit of a vulnerability) come prior to, and apart
from, the installation of the rootkit. The rootkit itself does not
contain the means to obtain root access.

you need to read deeper... it contains it's own copy of the system
binary known as login, which can only be to steal passwords or allow
illegitimate root logins... it contains a trojanized version of ssh for
snatching passwords... it also contains a sniffer for grabbing passwords
and and a script for parsing the output of the sniffer...

You can't exploit root access in
the sense that you can exploit vulnerabilities in broken software.
You
can exploit the broken software to attain root access - but this is
an
exploiter not a rootkit. Here they meant (to me at least) that they
are
designed to exploit (make use of) root access, not that they are
exploits (injection vector w/payload) to attain root access.

they meant tools like "rootkit".. . it was designed to sniff passwords
so
as to allow you to gain root on machines other than the one it was
installed on...

But that was not the defining feature.

the defining feature is that they aid in gaining root access...

[snip]

To me, a rootkit could also be

can i be blunt (or perhaps just curt)?... don't you think we're past
the
point in the discussion where you tell me what you *feel* a rootkit
is?

Absolutely, since you won't listen. I'll agree to disagree and will not
discuss it further since no-one else in these groups seem interested.

oh, but i am listening... are you listening to yourself? have you
counted the number of times you've started off a rebuttal with the words
"to me a rootkit is" or "to me a rootkit could be" or some other
variation? unless you personally coined the term i'm afraid what the
term means *to you* doesn't really have that much weight...

[from the subsequent message] But in case they are, here is some more reading material:

http://staff.washington.edu/dittrich...s/rootkits.faq
http://project.honeynet.org/papers/enemy3/
http://www.cs.wright.edu/people/facu...on/obrien.html
http://www.linuxgazette.com/issue36/kuethe.html

what's interesting to me is that every single example you cite contains
a sniffer for getting passwords out of network traffic and at least one
(generally more than one) backdoor to gain root on the affected machine
through a more convenient avenue than was initially used during install
(in retrospect i suppose that *might* be what the anti-spyware coalition
meant by 'maintaining' root access, maybe)...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

"kurt wismer" <ku***@sympatic o.ca> wrote in message news:4y******** **********@news 20.bellglobal.c om...

what's interesting to me is that every single example you cite contains
a sniffer for getting passwords out of network traffic and at least one
(generally more than one) backdoor to gain root on the affected machine
through a more convenient avenue than was initially used during install
Of course, it is a kit and contains programs useful to the intruder...

Like any toolkit, it has many tools the user wants to use. Having a screwdriver
does not make it a screwdriver kit any more than having a wrench makes it a
wrench kit. If the intruder only wants to cause an information leak on a target
machine (not some script kiddie collecting "rooted" machines so he can boast
about his collection being bigger than yours), his kit may not include the sniffer
or any other program that can be construed as an "aid in gaining root access".

It is a "root" kit because the attacker needs root access to use the programs in
the kit, and a kit because it usually contains more than one tool.
(in retrospect i suppose that *might* be what the anti-spyware coalition
meant by 'maintaining' root access, maybe)...

I suspect so, survivability of the compromise is probably the main underlying
theme rather than "rooting" of more machines. Stealth would be a great aid to
survivability as would creating other ways to get back in as root. No surprise
that most if not all kits had both tools. Also no surprise that the focus is now
on stealth as being the defining factor.

This seems to agree that survivability of root access compromise is paramount
and stealth is a major contributor toward achieving that end.

http://www.informit.com/articles/art...08884&seqNum=2

No mention of machine collecting is made, only stealth aimed at local survivability
of root access (persistance). It also touches on the historical meaning of rootkit.

You could start at http://www.informit.com/articles/art...08884&seqNum=1

But this part isn't just about rootkits.

Roger Wilco wrote:

"kurt wismer" <ku***@sympatic o.ca> wrote in message news:4y******** **********@news 20.bellglobal.c om...

what's interesting to me is that every single example you cite contains
a sniffer for getting passwords out of network traffic and at least one
(generally more than one) backdoor to gain root on the affected machine
through a more convenient avenue than was initially used during install
Of course, it is a kit and contains programs useful to the intruder...

Like any toolkit, it has many tools the user wants to use. Having a screwdriver
does not make it a screwdriver kit any more than having a wrench makes it a
wrench kit.

if the kit is full of screwdrivers and screwdriver accessories then it
most certainly is a screwdriving kit...
If the intruder only wants to cause an information leak on a target
machine (not some script kiddie collecting "rooted" machines so he can boast
about his collection being bigger than yours), his kit may not include the sniffer
or any other program that can be construed as an "aid in gaining root access".
then it wouldn't be a rootkit...
It is a "root" kit because the attacker needs root access to use the programs in
the kit, and a kit because it usually contains more than one tool.
this contradicts what is stated in the example you cite below... it states

"A rootkit is a "kit" consisting of small and useful programs that allow
an attacker to maintain access to "root," the most powerful user on a
computer".

that clearly doesn't agree with your definition... i'm not a big fan of
it either unless "maintain" means backdooring the system for easier
access later on...

(in retrospect i suppose that *might* be what the anti-spyware coalition
meant by 'maintaining' root access, maybe)...

I suspect so, survivability of the compromise is probably the main underlying
theme rather than "rooting" of more machines.

no, 'survivability' is an *enhancement*.. .
Stealth would be a great aid to
survivability as would creating other ways to get back in as root. No surprise
that most if not all kits had both tools. Also no surprise that the focus is now
on stealth as being the defining factor.
stealth is not the defining factor...
This seems to agree that survivability of root access compromise is paramount
and stealth is a major contributor toward achieving that end.

http://www.informit.com/articles/art...08884&seqNum=2

No mention of machine collecting is made, only stealth aimed at local survivability
of root access (persistance). It also touches on the historical meaning of rootkit.

You could start at http://www.informit.com/articles/art...08884&seqNum=1

But this part isn't just about rootkits.

actually the entire article is all about rootkits, the first page just
abstracts out some of the underlying concepts inherent in rootkits so as
to talk about them in isolation and bring the reader up to speed on the
fundamentals...

page 3, however, has this nice little blurb:

"Rootkits provide two primary functions: remote command and control, and
software eavesdropping"

remote command and control == backdoors
software eavesdropping == sniffing

now, if something doesn't provide the 2 primary functions of a rootkit,
is it still a rootkit? i don't think so...

isn't the primary function == the "defining factor"? in any reasonable
taxonomy of malware (or even software in general) it most certainly is...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"