Forgot your password?
typodupeerror

Symantec Users, Start Your Keyloggers 313

Posted by CowboyNeal
from the unfurling-the-welcome-mat dept.
An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."
This discussion has been archived. No new comments can be posted.

Symantec Users, Start Your Keyloggers

Comments Filter:
  • +++ATH (Score:5, Funny)

    by petard (117521) * on Thursday March 02, 2006 @08:02PM (#14839548) Homepage
    People just don't learn very well from past mistakes...
    • Re:+++ATH (Score:2, Insightful)

      by LouisZepher (643097)
      "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." - DNA
    • Bitcom too (Score:5, Funny)

      by Reziac (43301) * on Thursday March 02, 2006 @10:30PM (#14840296) Homepage Journal
      Remember the old Bitcom for DOS? if you were reading messages on a BBS, and if in one of those messages you encountered the phrase "NO CARRIER", Bitcom would helpfully hang up the modem!

    • Re:+++ATH (Score:5, Informative)

      by Ungrounded Lightning (62228) on Thursday March 02, 2006 @10:58PM (#14840411) Journal
      There was also the "ANSI Standard Back Door".

      Some of the early not-too-smart (pre-computer-running-the-show) terminals - notably the "Ann Arbor Terminals" terminal, the DEC VT105, and anything following the ANSI standard for terminal operation which was based on them - had several "soft keys".
        - These could be configured to send any desired sequence of up to maybe 128 or so characters when hit.
        - They were configured by an escape sequence.
        - The escape sequence could be delivered from the far end of the link. (Typically was, by a program setting up the softkey.)
        - The escape sequence setting the key would not produce any visual indication on the screen that this was being done (so as not to corrupt the screen).
        - The key could also be "struck" by another escape sequence, also deliverable from the remote end.
        - Some talk/chat features (think "stone-age instant messaging") did NOT filter out escape sequences in inter-user messages.

      What this meant was that a user (especially one running an early terminal emulator on an early home computer - like an Apple ][) could compose a message to another user that would reprogram one of his softkeys to send anything the malicious user wanted and "hit" it remotely. The time-sharing machine in the middle would interpret the command as if it came from the victim. (This was especially handy if the victim happened to be logged in as the equivalent of a superuser at the time.)

      If the message was a multiple command to disable keysroke echoing at the start and reenable it at the end it might not show up at all. (Or screen control stuff could be included to blank out the echoed command before it could be noticed.)

      There were revs to the terminals to disable this. But installing them made the terminal no longer standards compliant. B-)
    • its ATH0+++, I believe.

      in fact if anyone on a vulnerable modem loads this page it will disconnect them as soon as the modem sees that text. :)

      I did this on an IRC server once. There were loads of people in a room discussing politics, and it got very heated and furious. Having never tried the ATH command before, I figured then was the perfect time. about 4/5 of the room suddenly went silent, and a few seconds later they had timed out.

      I got a good laugh. I'm sure it still works.
    • by Myria (562655) on Friday March 03, 2006 @01:32AM (#14840987)
      There actually was a simple workaround for that problem that almost all modems support. The standard command ATS2= sets which ASCII value is your modem escape code: the default value 33 is +.

      However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).

      This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).

      Meow,

      Melissa
      • That worked. There was also a simpler work-around known as guard time. Basically, the modem would expect a counfigurable amount of DTE silence on either side of the escape sequence. This technique was patented by Hayes, who charged a healthy fee for it. So most budget modems suffered from the problem. Zyxel was one of the exceptions... they had some alternative technique that allowed them to avoid licensing the patent but still not suffer from this problem.
  • by techno-vampire (666512) on Thursday March 02, 2006 @08:05PM (#14839561) Homepage
    This is a very elegant trick; using the victim's anti-virus software as the tool to kick them off the net. Not only that, but you can do this to any number of people who happen to be on that channel and use the affected product. Now, if we could only get the skript kiddies to put their minds to something productive...
    • by TCQuad (537187) on Thursday March 02, 2006 @08:14PM (#14839619)
      Now, if we could only get the skript kiddies to put their minds to something productive...

      Since IRC is mostly a time-killer, wouldn't something that knocks people off of it be considered productive?
    • by NitsujTPU (19263) on Thursday March 02, 2006 @08:29PM (#14839703)
      Dude... what are you talking about? Script kiddies are called script kiddies because they steal other people's ideas. They aren't actually coming up with anything.

      It wasn't a script kiddie who figured out that this works, it was a "hacker" (or a "cracker").

      It's not like some kid spent hours figuring this out. These kids were told by someone who figured it out, who would not be referred to as a script kiddie.
      • "Script kiddie" has become a moral category, not a technical one. It is meant to express disdain, because people are uncomfortable with the idea that someone could be both clever and unethical.
        • I don't know if it's that. I think that people want to act like they have "skillz" and so bandy the term about as if they knew what it meant :-P

          Perhaps you're right.
        • Sorry, I don't think so. Script kiddie is used disdainfully, because they are someone who like doing dameage without having the intelligence to figure it out on their own.
          • The point is that somebody did the heavy lifting and created the exploit. Yet that somebody gets called a "script kiddy," which originally implied someone who used exploits that they wouldn't be skilled enough to produce. The disdain for their relative lack of skills has been changed into a disdain for their lack of ethics, and the term has migrated "upstream" to include the people who could and did, indeed, produce the exploit.
      • Dude... what are you talking about? Script kiddies are called script kiddies because they steal other people's ideas.

        Dude... am I a script kiddie because I use the other peoples programs instead of writing everything from scratch, including the BIOS?
        • Dude... am I a script kiddie because I use the other peoples programs instead of writing everything from scratch, including the BIOS?
          No. But you would be if you bragged about it.
      • by mboverload (657893) on Thursday March 02, 2006 @11:36PM (#14840556) Journal
        With all due respect to people who use Norton,

        Only script kiddies use Norton. Seriously.
    • I tried it in a room of a 130 people....

      Only 2 left :(

      Symatenc producs continue to suck!
  • by xx_toran_xx (936474) on Thursday March 02, 2006 @08:05PM (#14839567)
    startkeylogger -- phonex has quit (Read error: Connection reset by peer) -- TomA has quit (Read error: Connection reset by peer) -- something3280 has quit (Read error: Connection reset by peer
  • by psycho chic (958251) on Thursday March 02, 2006 @08:05PM (#14839568) Journal
    and people pay for that crap?

    thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.

    • by Eightyford (893696) on Thursday March 02, 2006 @08:09PM (#14839590) Homepage
      And now Microsoft is selling Antivirus software. Antivirus software to secure their unsecure operating system. I think this type of thing will ultimately force companies to switch back to Unix-like operating systems.
      • ... Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know.

        I agree more people should be moving to Linux, but don't tell them they don't have to have a virus scanner.
        • True enough. I just think that a virus scanner should be a part of the operating system.
        • by Mistshadow2k4 (748958) on Friday March 03, 2006 @01:09AM (#14840902) Journal

          "Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know."

          You seem to think *nix OSes are a lot less popular then they are. You do know that Unix was the most popular server OS until this year, right? You do know that when combined with Linux and BSD, the *nix OSes still outnumber Windows servers, don't you? And surely you've heard that Unix has been around about 35 years, haven't you? So.... where are all the Unix viruses? There should be a million of them at least but there aren't. There have been only 13 Unix viruses in computing history. Maybe it has something to do with the fact that it has always been desinged to be secure from the start.

      • Antivirus software to secure their unsecure operating system.

        No, Antivirus software to protect ignorant users.

        OS security can't protect users from deliberately running malicious code, which is why AV software is necessary for some people.

    • by macklin01 (760841) on Thursday March 02, 2006 @08:11PM (#14839600) Homepage

      thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.

      From what I understood, the keystrokes weren't disabling the protection, but rather activating it, i.e., shutting down the chat session to prevent it from triggering malware. - Paul

    • and people pay for that crap?

      thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection.
      - well, maybe you should read the article then (if it didn't become obvious to you right away) and see that this IS the protection. Nothing is disabled, Norton sees these commands in the channel and decides to shutdown the connection (supposedely to prevent your computer from being infected.)

      It doesn'
  • by kindbud (90044) on Thursday March 02, 2006 @08:06PM (#14839572) Homepage
    If I am dueling with a leet player on WoW, will this work to kick him off the game? Would I be able to gank him before the server times him out?
    • So, a lot of people have been making the "Connection reset by peer" joke.

      The reason I chose to respond to your post, is cause I just did a /whois peer on EFnet. Here's the result
      peer is peer@195.180.11.197 * i reset you all !!
      peer using irc.inet.tele.dk Better than WoW
      peer End of /WHOIS list.
      So I guess IRC > WoW
    • Obligatory Deus Ex...
    • No, it only works if the message came from a connection to an irc port (presumably only 6667).
      • Re:MMORPG affected? (Score:2, Interesting)

        by xlordtyrantx (958605)
        So what if you were to create a program that mimicks traffic as though it were an IRC program? if you were to run that command through the port, what do you think will happen? I dont have symantec, so i cant test it
    • Yep, I've been hit before by the exact same scenario you describe, although probably with a different string.

      So I'm playing WoW happily and suddenly I'm completely lagged (you know, those time-bubbles where you can run around, but not cast spells or receive any update from the server) and then disconnected. Better yet, when I try to reconnect, I can't.

      Turns out that something in that stream of binary data between the WoW server and the WoW client looked to Norton suspiciously like some old SQL Server exploi
  • So bad? (Score:4, Funny)

    by mugnyte (203225) on Thursday March 02, 2006 @08:06PM (#14839575) Journal

      While yes a bug, most of my experience on IRC would point towards a benefit if anyone could boot anyone else. The benefit is to those booted, to be clear.
  • No surprise here... (Score:4, Informative)

    by Radi-0-head (261712) on Thursday March 02, 2006 @08:07PM (#14839583)
    Anyone who uses Symantec software with the expectation that it will actually protect them from anything deserves whatever they get.

    I deal with hundredes of machines monthly, and it's always the NIS/Norton Antivirus machines that have been completely compromised without Norton making a peep.

    US companies suck at malware detection. I've found the eastern European companies to be among the best.
    • US companies suck at malware detection. I've found the eastern European companies to be among the best.
      Eastern European companies...

      You mean... companies in the former Soviet BLOC?

      Because we all know, that in Soviet Russia, malware detects you!
    • McAfee is no wonder of the western world, either.

      Back in the days of yore, when DOS machines roamed the earth, the vast majority of really creative viruses came from eastern Europe (one reason I heard for this was that these viruses were targeted at disabling the remains of their Soviet overlords). So it makes sense that people living at Virus Ground Zero would develop frontline expertise at protecting themselves from said viruses.

      Tho one does have to wonder how many eastern European virus-writing kiddies g
    • by caudron (466327) on Friday March 03, 2006 @07:53AM (#14841825) Homepage
      US companies suck at malware detection. I've found the eastern European companies to be among the best.

      Sure, the author is always gonna best know how to uninstall his app.
  • Connection reset by peer.
  • Um. (Score:3, Interesting)

    by daeg (828071) on Thursday March 02, 2006 @08:11PM (#14839601)
    I hate Norton products. They are incredibly bloated, offer no technical documentation, and literally take over a system once installed. Have you ever tried to uninstall a Norton product? They are as bad as the viruses, worms, and trojans they claim to protect against.
    • yes, i have. though i don't have much experience beyond their corperate antivirus which hasn't caused any problems installing or uninstalling. they do offer a utility called SymNRT that can help most people.
    • Since, in order to fight the malware, they have to operate at the same ring level it does.
  • by GAATTC (870216) on Thursday March 02, 2006 @08:12PM (#14839602)
    I have Symantec's Norton Firewall and when I type startkeylogge
  • Reminds me of a bash.org quote (can't find it atm) that looked like someone was disconnected by an obsene language filter every time someone in the channel swore.
    "Wait so everytime someone says **** he gets disconnected?"
    "Quit ..."
    "Join ..."
    etc...
  • by The MAZZTer (911996) <.megazzt. .at. .gmail.com.> on Thursday March 02, 2006 @08:15PM (#14839633) Homepage
    It doesn't have to be spoken text. If an incoming packet is caught by norton firewall with a keyword in it, the connection is closed reguardless of where it is.

    Which means you can change your nick to one of the words.

    Or even more devlishly, put it in your ident where noone will notice it. Your speech will be so powerful it will knock people off the internet. Or is it your breath...

    PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.

    To redeem myself, I will mention that you can work around this by turning off some filter called "Spybot keylogger" or something under advanced options.
    • PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.
      That's rich.

      I'm getting such a kick out of joining big channels and watching people drop one after the other.

      I feel like such a bastard :O)
      • Note to self: I am a bastard and got banned from an EFnet server.

        Even though I had already cleared the channel of any Norton users, it was funny to watch people joining #xbox and get kick banned for trying startkeylogger & stopkeylogger.
    • Or even more devlishly, put it in your ident where noone will notice it

      Writing out a line in IRC only transmits your nick and the line itself to users in the channel. So putting 'stopspy' as your email address or as your uname won't work unless someone whoises you or does a /list on the channel. But perhaps some IRC clients will automatically /whois all users in a channel when you join -- but it's not part of IRC's underlying behavior.
  • by Spiffness (941077)
    Stupid slashdot! Great, now its public. I've had so much fun the last 2 weeks joining channels like 'teenlink69' and 'cyberz' on big networks and using the command.

    Its good times watching 10-15 people drop at a time in the huge channels.

    But now the fun will quickly disapear, thanks to slashdot. DOH!
  • Yep, that's that (Score:2, Informative)

    by WWWWolf (2428)

    I saw this happening on #wikipedia a day or three ago. Someone with user/hostname like startkeylogger@....gnauk.co.uk showed up, and bang, a Norton user dropped off line.

    I really couldn't believe any people would implement this sort of silliness in firewall/antivirus in this day and age. This was a "feature" of some censorware packages a few years back, I really hoped the folks would have wisened up. It's silly if you try to censor stuff, it's twice as silly if it goes under the guise of computer security

  • by cojsl (694820) on Thursday March 02, 2006 @08:36PM (#14839744) Homepage
    I get "Message blocked: Exploiting Norton bug" on my favorite channel if I type in either command
  • Try to join #2600 on irc.2600.net before reading this article. Shit, probably too late.
  • Reminds me of another one of Symantec's annoying habits. If the echoj string is anywhere in a file trying to be access Norton considers that file "infected". Symantec doesn't seem to have very good detection algorithms, they search for string literals and that's it? Hmm..
  • Hehe (Score:2, Funny)

    I never thought I would intentionally go into a room full of Windows users on IRC, but I'm soooo all over this
  • Security (Score:3, Insightful)

    by typical (886006) on Thursday March 02, 2006 @08:57PM (#14839849) Journal
    For a company that purports to "improve" your computer's security, Symantec clearly doesn't have much by way of policy on what actions can be taken based on untrusted data.

    This is not the first "personal firewall" product to be attackable, either. BlackICE has had its time up on Slashdot, as well as other packages.

    "Personal firewalls" do little to improve computer security, and do add overhead, complexity, and their own collection of security problems.

    The real fix is to not start servers that you don't trust to be solid listening for traffic from your computer. Microsoft does (irritatingly) have a collection of servers running by default (unless SP2 disabled or blocked access to them -- dunno).

    Worrying about personal firewalls, trying to treat NAT as a "security enhancer", etc...it's all crazy. Just don't open the holes in the computer in the first place and you don't have to worry about it.
  • Ugh, I had to turn off my Norton firewall & antivirus to be able to read Slashdot...
    Some mean editor decided to place the trigger words in the article text!!!

    ( lol )
  • (kernelpanicked) startkeylogger

    [quux(n=bryan@pdpc/supporter/sustaining/quuxo)] please don't do it again

    (kernelpanicked) no problem, startkeylogger

    *tear* It's like christmas for UNIX geeks has come early
  • *** (G) Banned from AustNet: This address has been used for deliberately try to disconnect others. (CET0603030304).

    Frak.

    In summary, be careful with this.
  • Did we forget... (Score:2, Interesting)

    by Wrathernaut (939667)
    A couple of things of note I haven't seen addressed:

    Why not just remove the text from incoming packets, leaving the rest intact?
    If the purpose of your software is to keep malware off the computer, why the **** do you need this feature in the first place?

    Programming may be tough to learn, but common sense appears to be impossible.
    • by dotgain (630123)
      Because, and in case this "news" hasn't made it obvious, Symantec is *fucking stupid*. It needs a special place in the hall of shame for being a piece of crap that supposedly keeps you secure, yet opens an attack channel in the process.

      Great work, guys, fucking great.

  • When I was bored on IRC sometimes I used to visit a random, well populated channel I would simply type

    "Press ALT-F4 now to gain instant access to my ratio free, unlimited download porn fserve"

    And then sit back and watch the amount of nicks reduce by less than half.
  • by Blymie (231220) * on Thursday March 02, 2006 @10:09PM (#14840214)

    Why?

    Because you have to run Norton as the administrator, if you want updates. You *used* to be able to get around this, by installing Norton as an admin, then setting up a cron (scheduled tasks :P ) to do the updates. However, Norton actually *disabled* the ability to do this in its latest versions. For the last year or so, you MUST run Norton as the administrator to get updates. Put another way, you have to log in once a day as administrator, or you never receive virus updates.

    Lame? Yes, it is. Their techincal support staff find nothing odd about this, and their sales staff try to sell you an inordinately expensive "professional" product which does allow you to run as a normal user, and have updates occur without logging in as admin every 5 minutes. This is just sad. Every XP user should be running as a non-admin. Norton should be *encouraging* that.

    I thought these people were trying to *help* security? The last thing I want anyone to do, is run as administrator on an XP box. Sure, you don't get the same level of security that you do under Linux, when one runs as a normal user, but it's still *very preferable* to run as a non-admin user for your day to day tasks, under XP.

    There are so many "business" class products that don't understand such a simple concept. I've seen income tax software that must be run as the admin user under XP. Anti-virus software though??! That's just absurd.
  • Back in the day, one of the worms was causing my ISP's Wireless network no end of trouble. While our wirless at the time had plenty of download bandwidth, upload bandwidth is always at a premium. Our solution was to simply immediately terminate the active connection whenever the text string was seen in a packet. It worked smashing, we had a log of whomever was infected, their upload bandwidth was curtailed, and in general it kept our network running yet another day.

    The catch, of course, was it worked TOO
  • by billcopc (196330)
    The sad thing about this is Norton users will blame everything but their software. In reality, it's Norton's software that sucks, and has sucked since the dawn of Win95. The last product that still commands respect in my nostalgia is Norton Utilities 8.0 for DOS. Every Windows-based Norton app has been prettyfied useless crap.

    Hell, I'm using a free antivirus because it gets right to the point. No pretty 3-inch wide tray monitor, no HTMLized interface (that crashes the HTML engine half the time), nothing
  • I tried this on a largish (~200 clients) irc channel on EFNet. Nobody dropped off the network. Are they all patched or have all of them removed Norton from their system?

    strike
  • by SeaFox (739806) on Friday March 03, 2006 @01:26AM (#14840965)
    This side effect of Norton's attempt to protect the user, or that Symantec thinks this is the best way to protect the user.

    I mean, if Norton is aware of a keylogger worm on IRC, wouldn't it make more sense to have Norton Internet Security kill the keylogger process or block the data the keylogger tries to send out? It is a firewall after all. Or, for Norton Antivirus to identify the keylogger and remove it as part of removing the worm. Would it not be part of the worm, and therefore something Norton is supposed to be removing, as part of the program's specified function?

    If stopping access to a service is how one should protect themselves from threats on it, maybe Norton should just block all TCP/IP traffic to prevent viruses, worms, and identity theft.

    Good thing the keylogger trigger wasn't "hello everyone".

"Those who will be able to conquer software will be able to conquer the world." -- Tadahiro Sekimoto, president, NEC Corp.

Working...