Symantec Users, Start Your Keyloggers 313
An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."
No surprise here... (Score:4, Informative)
I deal with hundredes of machines monthly, and it's always the NIS/Norton Antivirus machines that have been completely compromised without Norton making a peep.
US companies suck at malware detection. I've found the eastern European companies to be among the best.
Re:protection? yeah, right (Score:5, Informative)
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.
From what I understood, the keystrokes weren't disabling the protection, but rather activating it, i.e., shutting down the chat session to prevent it from triggering malware. - Paul
Best Part of This + Fix for Problem (Score:4, Informative)
Which means you can change your nick to one of the words.
Or even more devlishly, put it in your ident where noone will notice it. Your speech will be so powerful it will knock people off the internet. Or is it your breath...
PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.
To redeem myself, I will mention that you can work around this by turning off some filter called "Spybot keylogger" or something under advanced options.
Re:Bash.org (Score:3, Informative)
Fun keyword filtering.
Re:Does it work with other programs? (Score:3, Informative)
Re:One thing for sure. (Score:5, Informative)
It wasn't a script kiddie who figured out that this works, it was a "hacker" (or a "cracker").
It's not like some kid spent hours figuring this out. These kids were told by someone who figured it out, who would not be referred to as a script kiddie.
Yep, that's that (Score:2, Informative)
I saw this happening on #wikipedia a day or three ago. Someone with user/hostname like startkeylogger@....gnauk.co.uk showed up, and bang, a Norton user dropped off line.
I really couldn't believe any people would implement this sort of silliness in firewall/antivirus in this day and age. This was a "feature" of some censorware packages a few years back, I really hoped the folks would have wisened up. It's silly if you try to censor stuff, it's twice as silly if it goes under the guise of computer security.
Some servers filter these already (Score:3, Informative)
Re:Impressive (Score:3, Informative)
thats just for starters
Not only does it work... (Score:2, Informative)
Frak.
In summary, be careful with this.
norton has got to be the least secure virus produc (Score:5, Informative)
Why?
Because you have to run Norton as the administrator, if you want updates. You *used* to be able to get around this, by installing Norton as an admin, then setting up a cron (scheduled tasks
Lame? Yes, it is. Their techincal support staff find nothing odd about this, and their sales staff try to sell you an inordinately expensive "professional" product which does allow you to run as a normal user, and have updates occur without logging in as admin every 5 minutes. This is just sad. Every XP user should be running as a non-admin. Norton should be *encouraging* that.
I thought these people were trying to *help* security? The last thing I want anyone to do, is run as administrator on an XP box. Sure, you don't get the same level of security that you do under Linux, when one runs as a normal user, but it's still *very preferable* to run as a non-admin user for your day to day tasks, under XP.
There are so many "business" class products that don't understand such a simple concept. I've seen income tax software that must be run as the admin user under XP. Anti-virus software though??! That's just absurd.
Re:+++ATH (Score:5, Informative)
Some of the early not-too-smart (pre-computer-running-the-show) terminals - notably the "Ann Arbor Terminals" terminal, the DEC VT105, and anything following the ANSI standard for terminal operation which was based on them - had several "soft keys".
- These could be configured to send any desired sequence of up to maybe 128 or so characters when hit.
- They were configured by an escape sequence.
- The escape sequence could be delivered from the far end of the link. (Typically was, by a program setting up the softkey.)
- The escape sequence setting the key would not produce any visual indication on the screen that this was being done (so as not to corrupt the screen).
- The key could also be "struck" by another escape sequence, also deliverable from the remote end.
- Some talk/chat features (think "stone-age instant messaging") did NOT filter out escape sequences in inter-user messages.
What this meant was that a user (especially one running an early terminal emulator on an early home computer - like an Apple ][) could compose a message to another user that would reprogram one of his softkeys to send anything the malicious user wanted and "hit" it remotely. The time-sharing machine in the middle would interpret the command as if it came from the victim. (This was especially handy if the victim happened to be logged in as the equivalent of a superuser at the time.)
If the message was a multiple command to disable keysroke echoing at the start and reenable it at the end it might not show up at all. (Or screen control stuff could be included to blank out the echoed command before it could be noticed.)
There were revs to the terminals to disable this. But installing them made the terminal no longer standards compliant. B-)
Re:+++ATH (Score:4, Informative)
Re:protection? yeah, right (Score:4, Informative)
"Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know."
You seem to think *nix OSes are a lot less popular then they are. You do know that Unix was the most popular server OS until this year, right? You do know that when combined with Linux and BSD, the *nix OSes still outnumber Windows servers, don't you? And surely you've heard that Unix has been around about 35 years, haven't you? So.... where are all the Unix viruses? There should be a million of them at least but there aren't. There have been only 13 Unix viruses in computing history. Maybe it has something to do with the fact that it has always been desinged to be secure from the start.
Reflections on trusting trust (Score:1, Informative)
Turns out you can't even believe in binaries you have built yourself.
Read this: http://www.acm.org/classics/sep95/ [acm.org]
(Not for the paranoid!!!)