Symantec Users, Start Your Keyloggers 313
An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."
One thing for sure. (Score:5, Insightful)
protection? yeah, right (Score:5, Insightful)
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.
Re:protection? yeah, right (Score:4, Insightful)
Re:time for a nick change (Score:3, Insightful)
I've confirmed on my network that the following will kick some serious ass:
- simply saying it in a channel
- adding it to the beginning of a topic (meaning if a user simply does a
- changing your name to it
- Quit messages
It may also cause issues in PM's, notices, but have yet to confirm with that.
We ended up just adding text filters for any spot where the text can occur, something like this (since we're on UnrealIRC):
Something to that affect.
It was a real annoyance on our network, ended up kicking some people out over it.
~Francisco
Let me get this straight... (Score:1, Insightful)
Re:Impressive (Score:3, Insightful)
Re:You are mistaken (Score:3, Insightful)
Security (Score:3, Insightful)
This is not the first "personal firewall" product to be attackable, either. BlackICE has had its time up on Slashdot, as well as other packages.
"Personal firewalls" do little to improve computer security, and do add overhead, complexity, and their own collection of security problems.
The real fix is to not start servers that you don't trust to be solid listening for traffic from your computer. Microsoft does (irritatingly) have a collection of servers running by default (unless SP2 disabled or blocked access to them -- dunno).
Worrying about personal firewalls, trying to treat NAT as a "security enhancer", etc...it's all crazy. Just don't open the holes in the computer in the first place and you don't have to worry about it.
Re:protection? yeah, right (Score:2, Insightful)
I agree more people should be moving to Linux, but don't tell them they don't have to have a virus scanner.
Re:+++ATH (Score:2, Insightful)
Re:Did we forget... (Score:2, Insightful)
Great work, guys, fucking great.
Lost in translation (Score:2, Insightful)
Hell, I'm using a free antivirus because it gets right to the point. No pretty 3-inch wide tray monitor, no HTMLized interface (that crashes the HTML engine half the time), nothing but virus scanning thank you very much. Firewall ? Comes with Windows, does the job just fine for me. I've got linux for my "important" network in the closet.
Re:norton has got to be the least secure virus pro (Score:1, Insightful)
I agree with the first sentence, but the second doesn't make sense for Norton. If you ran XP as a non-administrator, you wouldn't need their products as much.
Re:MMORPG affected? (Score:4, Insightful)
nc -l -p 6667
on machine with NPF or NIS on it:
telnet machineone 6667
on machine one:
startkeylogger
machine two will now disconnect you from machine one and Norton will block you from connecting to machine one again. You have to go into the AutoBlock tab of the Symantec Client Firewall and remove the ip from the list.
Re:One thing for sure. (Score:3, Insightful)
Workaround for that dumb +++ problem (Score:5, Insightful)
However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).
This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).
Meow,
Melissa
Re:protection? yeah, right (Score:2, Insightful)
With WoW too (Score:3, Insightful)
Also it didn't stop there, since thereafter their firewall was automatically configured to forbid access to the WoW client.
Frankly, by now I'm thinking most of these "security products" are:
1. unnecessary, if you have some clue, use a firewall, keep your system patched, and have enough brains to read pop-up messages before clicking "yes". None has yet detected a _real_ virus on my computers yet.
2. about as effective as a condom with a hole in it when you actually need them: they just give you a false sense of security while you're getting screwed. The one time when I did intentionally play with a virus, Norton _didn't_ detect it. (Yes, it was intentional. I actually planned to let a system get virused while I download Sygate Personal Firewall, then reformat and reinstall.)
Worse yet, there are plenty of viruses which disable them anyway. So if you did get a new virus (e.g., by not obeying point 1) before Symantec updates their signatures, chances are it will disable your antivirus anyway. So basically the only way to be sure you still have protection is... to not get virused in the first place, without its help. Does it sound superfluous yet?
Worse yet, these "security products" lately have more exploits of their own than Windows has, basically just creating extra oportunities to get pwn3d by a script-kiddie. I know of at least one virus which did already spread through an overflow in a security product.
3. Perhaps more importantly: good only for slowing the system down and creating annoying false positives.
E.g., the WoW disconnect described above. (Though it would also fit in the "creating a new exploit" category described above.)
E.g., I haven't had one yet which didn't pick on some innocent program on account that some bytes in it looked like they _could_ do something that _could_ be dangerous.
E.g., heck, forget disconnecting from IRC for keylogger commands. At least one was idiotic enough to insist on deleting mIRC (both installed _and_ the installer) off my computer, because they thought IRC was a risk. And yes, you've read that right. Not because of detecting some possible problem in code, not because of knowing of an exploit in that particular mIRC version, etc. Just because of a retarded biased judgment call that mIRC is dangerous, and they wanted to protect me from that. (As a side-note: then why not also delete IE, if they're at deleting programs just because they think they _could_ be dangerous? I dare say it's got a worse track record than mIRC.)
Etc.
4. and even more importantly, most are worse than a virus in and by themselves. I don't think a virus or trojan even exists yet that slows down a computer worse than most of these "security solutions." You'd have to get several layers of them before a modest computer starts to crawl the way it does with Norton or McAffee on it.
Re:Workaround for that dumb +++ problem (Score:3, Insightful)
Re:protection? yeah, right (Score:3, Insightful)
Which, were it still the 70s and everyone was using dumb terminals off a mainframe, might be something worth considering.
However, in today's world we have these things called *Personal* Computers that aren't managed by a team of engineers and rarely have more than one user. On PCs, the "system" is the *least* important data on the machine.
In Linux and other UNIX-like OS its trivial to set it up so a ignorant user never can download a random file from Internet or save an email attachment and then execute it so it infects the computer. Just give the user a home directory which may not contain executable files.
Which is fine for a managed environment (and is just as possible with Windows). On a home PC without a dedicated sysadmin, it's not even a realistic - let alone practical - solution.
In Windows this nearly requires an masters in CS to be able to do.
If you can figure it out in Linux, you should be able to figure it out in Windows. Unless, of course, you have no interest in doing so.
Linux are better for home users and non-computer literate users since its easy to become safe from email viruses and web viruses.
If you've got your own sysadmin to manage and run the system, sure - but the same applies to Windows.
If you want security go with a UNIX-like operating system and set it up so ignorant users CAN'T infect the system.
Or you could just set Windows up likewise. Neither will be terribly useful as a general purpose computer, however.
One don't need anti-virus programs in Linux since one can use the OS to protect against ignorant users.
Not while remaining useful as a general purpose computer, you can't.