Symantec Users, Start Your Keyloggers

An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."

One thing for sure.

[techno-vampire]

This is a very elegant trick; using the victim's anti-virus software as the tool to kick them off the net. Not only that, but you can do this to any number of people who happen to be on that channel and use the affected product. Now, if we could only get the skript kiddies to put their minds to something productive...

protection? yeah, right

[psycho chic]

and people pay for that crap?

thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.

Re:protection? yeah, right

[Eightyford]

And now Microsoft is selling Antivirus software. Antivirus software to secure their unsecure operating system. I think this type of thing will ultimately force companies to switch back to Unix-like operating systems.

Re:time for a nick change

[Deltaanime]

Yep, that works quite nicely.

I've confirmed on my network that the following will kick some serious ass:

- simply saying it in a channel
- adding it to the beginning of a topic (meaning if a user simply does a /list, or /join's, they'll get kicked out)
- changing your name to it
- Quit messages

It may also cause issues in PM's, notices, but have yet to confirm with that.

We ended up just adding text filters for any spot where the text can occur, something like this (since we're on UnrealIRC):

/spamfilter add cpnNPqat block - Norton_Exploit (start|stop)keylogger

Something to that affect.

It was a real annoyance on our network, ended up kicking some people out over it.

~Francisco

Let me get this straight...

[Anonymous Coward]

By mimicking the activities of spyware software, you trigger an anti-spyware response from a piece of security software.

...and this is news? Must be a slow news day.

Re:Impressive

[DeadChobi]

I hang out with friends from high school on IRC. MSN and AIM suck for that, because you have to initiate contact. On IRC, all you do is type something, and all your friends see it. If they want to respond, they can. With modern IM's, when you initiate contact it's at the other person's inconvenience. You can leave a copy of XiRCON or mIRC minimized and idle 24/7. If you want to talk to people, just pop it up and you've got a convenient-for-both-parties instant line of communication. This is in contrast to instant messengers, which steal focus and make annoying sounds.

Re:You are mistaken

[Reverend528]

Shouldn't norton know if the machine is infected and not terminate the connection when the malware isn't present?

Security

[typical]

For a company that purports to "improve" your computer's security, Symantec clearly doesn't have much by way of policy on what actions can be taken based on untrusted data.

This is not the first "personal firewall" product to be attackable, either. BlackICE has had its time up on Slashdot, as well as other packages.

"Personal firewalls" do little to improve computer security, and do add overhead, complexity, and their own collection of security problems.

The real fix is to not start servers that you don't trust to be solid listening for traffic from your computer. Microsoft does (irritatingly) have a collection of servers running by default (unless SP2 disabled or blocked access to them -- dunno).

Worrying about personal firewalls, trying to treat NAT as a "security enhancer", etc...it's all crazy. Just don't open the holes in the computer in the first place and you don't have to worry about it.

Re:protection? yeah, right

[saskboy]

... Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know.

I agree more people should be moving to Linux, but don't tell them they don't have to have a virus scanner.

Re:+++ATH

[LouisZepher]

"Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." - DNA

Re:Did we forget...

[dotgain]

Because, and in case this "news" hasn't made it obvious, Symantec is *fucking stupid*. It needs a special place in the hall of shame for being a piece of crap that supposedly keeps you secure, yet opens an attack channel in the process.

Great work, guys, fucking great.

Lost in translation

[billcopc]

The sad thing about this is Norton users will blame everything but their software. In reality, it's Norton's software that sucks, and has sucked since the dawn of Win95. The last product that still commands respect in my nostalgia is Norton Utilities 8.0 for DOS. Every Windows-based Norton app has been prettyfied useless crap.

Hell, I'm using a free antivirus because it gets right to the point. No pretty 3-inch wide tray monitor, no HTMLized interface (that crashes the HTML engine half the time), nothing but virus scanning thank you very much. Firewall ? Comes with Windows, does the job just fine for me. I've got linux for my "important" network in the closet.

Re:norton has got to be the least secure virus pro

[Anonymous Coward]

>Every XP user should be running as a non-admin. Norton should be *encouraging* that.

I agree with the first sentence, but the second doesn't make sense for Norton. If you ran XP as a non-administrator, you wouldn't need their products as much.

Re:MMORPG affected?

[QuantumG]

on machine one:

nc -l -p 6667

on machine with NPF or NIS on it:

telnet machineone 6667

on machine one:

startkeylogger

machine two will now disconnect you from machine one and Norton will block you from connecting to machine one again. You have to go into the AutoBlock tab of the Symantec Client Firewall and remove the ip from the list.

Re:One thing for sure.

[idonthack]

Dude... am I a script kiddie because I use the other peoples programs instead of writing everything from scratch, including the BIOS?

No. But you would be if you bragged about it.

Workaround for that dumb +++ problem

[Myria]

There actually was a simple workaround for that problem that almost all modems support. The standard command ATS2= sets which ASCII value is your modem escape code: the default value 33 is +.

However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).

This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).

Meow,

Melissa

Re:protection? yeah, right

[remmelt]

You're right. But who will fix these people's computers? They come home with a shiny new gadget (iPod? new printer? different mouse?) and they want to plug it in and go! ... but can't, without the CS degree. This is a serious problem. On one hand, these people need to be in a sandbox where nothing can go wrong, I agree. On the other hand, they need to be able to operate a computer, and installing a new peripheral is part of that task.

With WoW too

[Moraelin]

I don't know if it's the same string (probably not), but Norton was idiotic enough to forbid WoW from accessing the network any more after it detected something in the stream of data that looked like an SQL Server exploit. Or something like that, I don't remember the exact message, since I was busy swearing when that happened. The fact that it was a different program, on a different port, _and_ the direction in which the "exploit" was transmitted was all wrong... well, that didn't stop Norton from helpfully trying to protect me.

Also it didn't stop there, since thereafter their firewall was automatically configured to forbid access to the WoW client.

Frankly, by now I'm thinking most of these "security products" are:

1. unnecessary, if you have some clue, use a firewall, keep your system patched, and have enough brains to read pop-up messages before clicking "yes". None has yet detected a _real_ virus on my computers yet.

2. about as effective as a condom with a hole in it when you actually need them: they just give you a false sense of security while you're getting screwed. The one time when I did intentionally play with a virus, Norton _didn't_ detect it. (Yes, it was intentional. I actually planned to let a system get virused while I download Sygate Personal Firewall, then reformat and reinstall.)

Worse yet, there are plenty of viruses which disable them anyway. So if you did get a new virus (e.g., by not obeying point 1) before Symantec updates their signatures, chances are it will disable your antivirus anyway. So basically the only way to be sure you still have protection is... to not get virused in the first place, without its help. Does it sound superfluous yet?

Worse yet, these "security products" lately have more exploits of their own than Windows has, basically just creating extra oportunities to get pwn3d by a script-kiddie. I know of at least one virus which did already spread through an overflow in a security product.

3. Perhaps more importantly: good only for slowing the system down and creating annoying false positives.

E.g., the WoW disconnect described above. (Though it would also fit in the "creating a new exploit" category described above.)

E.g., I haven't had one yet which didn't pick on some innocent program on account that some bytes in it looked like they _could_ do something that _could_ be dangerous.

E.g., heck, forget disconnecting from IRC for keylogger commands. At least one was idiotic enough to insist on deleting mIRC (both installed _and_ the installer) off my computer, because they thought IRC was a risk. And yes, you've read that right. Not because of detecting some possible problem in code, not because of knowing of an exploit in that particular mIRC version, etc. Just because of a retarded biased judgment call that mIRC is dangerous, and they wanted to protect me from that. (As a side-note: then why not also delete IE, if they're at deleting programs just because they think they _could_ be dangerous? I dare say it's got a worse track record than mIRC.)

Etc.

4. and even more importantly, most are worse than a virus in and by themselves. I don't think a virus or trojan even exists yet that slows down a computer worse than most of these "security solutions." You'd have to get several layers of them before a modest computer starts to crawl the way it does with Norton or McAffee on it.

Re:Workaround for that dumb +++ problem

[petard]

That worked. There was also a simpler work-around known as guard time. Basically, the modem would expect a counfigurable amount of DTE silence on either side of the escape sequence. This technique was patented by Hayes, who charged a healthy fee for it. So most budget modems suffered from the problem. Zyxel was one of the exceptions... they had some alternative technique that allowed them to avoid licensing the patent but still not suffer from this problem.

Re:protection? yeah, right

[drsmithy]

The OS can protect the system from stupid users so they can't do anything damaginng.

Which, were it still the 70s and everyone was using dumb terminals off a mainframe, might be something worth considering.

However, in today's world we have these things called *Personal* Computers that aren't managed by a team of engineers and rarely have more than one user. On PCs, the "system" is the *least* important data on the machine.

In Linux and other UNIX-like OS its trivial to set it up so a ignorant user never can download a random file from Internet or save an email attachment and then execute it so it infects the computer. Just give the user a home directory which may not contain executable files.

Which is fine for a managed environment (and is just as possible with Windows). On a home PC without a dedicated sysadmin, it's not even a realistic - let alone practical - solution.

In Windows this nearly requires an masters in CS to be able to do.

If you can figure it out in Linux, you should be able to figure it out in Windows. Unless, of course, you have no interest in doing so.

Linux are better for home users and non-computer literate users since its easy to become safe from email viruses and web viruses.

If you've got your own sysadmin to manage and run the system, sure - but the same applies to Windows.

If you want security go with a UNIX-like operating system and set it up so ignorant users CAN'T infect the system.

Or you could just set Windows up likewise. Neither will be terribly useful as a general purpose computer, however.

One don't need anti-virus programs in Linux since one can use the OS to protect against ignorant users.

Not while remaining useful as a general purpose computer, you can't.