Symantec Users, Start Your Keyloggers 313
An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."
+++ATH (Score:5, Funny)
Re:+++ATH (Score:2, Insightful)
Bitcom too (Score:5, Funny)
Re:+++ATH (Score:5, Informative)
Some of the early not-too-smart (pre-computer-running-the-show) terminals - notably the "Ann Arbor Terminals" terminal, the DEC VT105, and anything following the ANSI standard for terminal operation which was based on them - had several "soft keys".
- These could be configured to send any desired sequence of up to maybe 128 or so characters when hit.
- They were configured by an escape sequence.
- The escape sequence could be delivered from the far end of the link. (Typically was, by a program setting up the softkey.)
- The escape sequence setting the key would not produce any visual indication on the screen that this was being done (so as not to corrupt the screen).
- The key could also be "struck" by another escape sequence, also deliverable from the remote end.
- Some talk/chat features (think "stone-age instant messaging") did NOT filter out escape sequences in inter-user messages.
What this meant was that a user (especially one running an early terminal emulator on an early home computer - like an Apple ][) could compose a message to another user that would reprogram one of his softkeys to send anything the malicious user wanted and "hit" it remotely. The time-sharing machine in the middle would interpret the command as if it came from the victim. (This was especially handy if the victim happened to be logged in as the equivalent of a superuser at the time.)
If the message was a multiple command to disable keysroke echoing at the start and reenable it at the end it might not show up at all. (Or screen control stuff could be included to blank out the echoed command before it could be noticed.)
There were revs to the terminals to disable this. But installing them made the terminal no longer standards compliant. B-)
Re:+++ATH (Score:4, Informative)
Re:+++ATH (Score:2)
in fact if anyone on a vulnerable modem loads this page it will disconnect them as soon as the modem sees that text.
I did this on an IRC server once. There were loads of people in a room discussing politics, and it got very heated and furious. Having never tried the ATH command before, I figured then was the perfect time. about 4/5 of the room suddenly went silent, and a few seconds later they had timed out.
I got a good laugh. I'm sure it still works.
Workaround for that dumb +++ problem (Score:5, Insightful)
However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).
This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).
Meow,
Melissa
Re:Workaround for that dumb +++ problem (Score:3, Insightful)
One thing for sure. (Score:5, Insightful)
But they just did... (Score:4, Funny)
Since IRC is mostly a time-killer, wouldn't something that knocks people off of it be considered productive?
Re:One thing for sure. (Score:5, Informative)
It wasn't a script kiddie who figured out that this works, it was a "hacker" (or a "cracker").
It's not like some kid spent hours figuring this out. These kids were told by someone who figured it out, who would not be referred to as a script kiddie.
Re:One thing for sure. (Score:2)
Re:One thing for sure. (Score:2)
Perhaps you're right.
Re:One thing for sure. (Score:2)
Re:One thing for sure. (Score:2)
Re:One thing for sure. (Score:2)
Dude... am I a script kiddie because I use the other peoples programs instead of writing everything from scratch, including the BIOS?
Re:One thing for sure. (Score:3, Insightful)
Re:One thing for sure. (Score:5, Funny)
Only script kiddies use Norton. Seriously.
Re:One thing for sure. (Score:2)
Only 2 left
Symatenc producs continue to suck!
Yep, it works... (Score:5, Funny)
Re:Yep, it works... (Score:2)
hm... no one running Norton security products?
Channel name (Score:3, Interesting)
Re:Yep, it works... (Score:2)
Quits: ****(*****@*****.charter.com (Killed (DeepMpact (that lame exploiot only disconnects *you*))
protection? yeah, right (Score:5, Insightful)
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.
Re:protection? yeah, right (Score:4, Insightful)
Re:protection? yeah, right (Score:2, Insightful)
I agree more people should be moving to Linux, but don't tell them they don't have to have a virus scanner.
Re:protection? yeah, right (Score:2)
Re:protection? yeah, right (Score:2)
Re:protection? yeah, right (Score:4, Informative)
"Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know."
You seem to think *nix OSes are a lot less popular then they are. You do know that Unix was the most popular server OS until this year, right? You do know that when combined with Linux and BSD, the *nix OSes still outnumber Windows servers, don't you? And surely you've heard that Unix has been around about 35 years, haven't you? So.... where are all the Unix viruses? There should be a million of them at least but there aren't. There have been only 13 Unix viruses in computing history. Maybe it has something to do with the fact that it has always been desinged to be secure from the start.
Re:protection? yeah, right (Score:2)
No, Antivirus software to protect ignorant users.
OS security can't protect users from deliberately running malicious code, which is why AV software is necessary for some people.
Re:protection? yeah, right (Score:3, Insightful)
Which, were it still the 70s and everyone was using dumb terminals off a mainframe, might be something worth considering.
However, in today's world we have these things called *Personal* Computers that aren't managed by a team of engineers and rarely have more than one user. On PCs, the "system" is the *least* important data on the machine.
In Linux and other UNIX-like OS its trivial to set it up so a ignorant user never
Re:protection? yeah, right (Score:5, Informative)
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.
From what I understood, the keystrokes weren't disabling the protection, but rather activating it, i.e., shutting down the chat session to prevent it from triggering malware. - Paul
Re:protection? yeah, right (Score:2)
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. - well, maybe you should read the article then (if it didn't become obvious to you right away) and see that this IS the protection. Nothing is disabled, Norton sees these commands in the channel and decides to shutdown the connection (supposedely to prevent your computer from being infected.)
It doesn'
Re:You are mistaken (Score:3, Insightful)
MMORPG affected? (Score:5, Funny)
Re:MMORPG affected? (Score:2)
The reason I chose to respond to your post, is cause I just did a
Laputan Machine. (Score:2)
Re:MMORPG affected? (Score:2)
Re:MMORPG affected? (Score:2, Interesting)
Re:MMORPG affected? (Score:4, Insightful)
nc -l -p 6667
on machine with NPF or NIS on it:
telnet machineone 6667
on machine one:
startkeylogger
machine two will now disconnect you from machine one and Norton will block you from connecting to machine one again. You have to go into the AutoBlock tab of the Symantec Client Firewall and remove the ip from the list.
Yes, I've had something similar before (Score:3, Funny)
So I'm playing WoW happily and suddenly I'm completely lagged (you know, those time-bubbles where you can run around, but not cast spells or receive any update from the server) and then disconnected. Better yet, when I try to reconnect, I can't.
Turns out that something in that stream of binary data between the WoW server and the WoW client looked to Norton suspiciously like some old SQL Server exploi
So bad? (Score:4, Funny)
While yes a bug, most of my experience on IRC would point towards a benefit if anyone could boot anyone else. The benefit is to those booted, to be clear.
Re:So bad? (Score:2)
Re:So bad? (Score:2)
Re:So bad? (Score:2)
And they are automatically saved.
And on and on.
No surprise here... (Score:4, Informative)
I deal with hundredes of machines monthly, and it's always the NIS/Norton Antivirus machines that have been completely compromised without Norton making a peep.
US companies suck at malware detection. I've found the eastern European companies to be among the best.
Re:No surprise here... (Score:2, Redundant)
You mean... companies in the former Soviet BLOC?
Because we all know, that in Soviet Russia, malware detects you!
Re:No surprise here... (Score:2)
Back in the days of yore, when DOS machines roamed the earth, the vast majority of really creative viruses came from eastern Europe (one reason I heard for this was that these viruses were targeted at disabling the remains of their Soviet overlords). So it makes sense that people living at Virus Ground Zero would develop frontline expertise at protecting themselves from said viruses.
Tho one does have to wonder how many eastern European virus-writing kiddies g
Re:No surprise here... (Score:4, Funny)
Sure, the author is always gonna best know how to uninstall his app.
Only one thing to say about that... (Score:2)
Um. (Score:3, Interesting)
Re:Um. (Score:2)
They sort of have to be (Score:2)
Doesn't affect me (Score:5, Funny)
Bash.org (Score:2)
"Wait so everytime someone says **** he gets disconnected?"
"Quit
"Join
etc...
Re:Bash.org (Score:3, Informative)
Fun keyword filtering.
Re:Bash.org (Score:2)
Best Part of This + Fix for Problem (Score:4, Informative)
Which means you can change your nick to one of the words.
Or even more devlishly, put it in your ident where noone will notice it. Your speech will be so powerful it will knock people off the internet. Or is it your breath...
PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.
To redeem myself, I will mention that you can work around this by turning off some filter called "Spybot keylogger" or something under advanced options.
Re:Best Part of This + Fix for Problem (Score:2)
I'm getting such a kick out of joining big channels and watching people drop one after the other.
I feel like such a bastard
Re:Best Part of This + Fix for Problem (Score:3)
Even though I had already cleared the channel of any Norton users, it was funny to watch people joining #xbox and get kick banned for trying startkeylogger & stopkeylogger.
Re:Best Part of This + Fix for Problem (Score:2)
Writing out a line in IRC only transmits your nick and the line itself to users in the channel. So putting 'stopspy' as your email address or as your uname won't work unless someone whoises you or does a
Re:Best Part of This + Fix for Problem (Score:2)
Thanks alot! (Score:2, Funny)
Its good times watching 10-15 people drop at a time in the huge channels.
But now the fun will quickly disapear, thanks to slashdot. DOH!
Yep, that's that (Score:2, Informative)
I saw this happening on #wikipedia a day or three ago. Someone with user/hostname like startkeylogger@....gnauk.co.uk showed up, and bang, a Norton user dropped off line.
I really couldn't believe any people would implement this sort of silliness in firewall/antivirus in this day and age. This was a "feature" of some censorware packages a few years back, I really hoped the folks would have wisened up. It's silly if you try to censor stuff, it's twice as silly if it goes under the guise of computer security
Some servers filter these already (Score:3, Informative)
Re:Some servers filter these already (Score:2)
This is why 2600 is awesome (Score:2, Interesting)
echo j (Score:2)
Re:echo j (Score:2)
Hehe (Score:2, Funny)
Security (Score:3, Insightful)
This is not the first "personal firewall" product to be attackable, either. BlackICE has had its time up on Slashdot, as well as other packages.
"Personal firewalls" do little to improve computer security, and do add overhead, complexity, and their own collection of security problems.
The real fix is to not start servers that you don't trust to be solid listening for traffic from your computer. Microsoft does (irritatingly) have a collection of servers running by default (unless SP2 disabled or blocked access to them -- dunno).
Worrying about personal firewalls, trying to treat NAT as a "security enhancer", etc...it's all crazy. Just don't open the holes in the computer in the first place and you don't have to worry about it.
I was wondering why couldnt I see Slashdot.... (Score:2)
Some mean editor decided to place the trigger words in the article text!!!
( lol )
IRC just got so much better (Score:2, Funny)
[quux(n=bryan@pdpc/supporter/sustaining/quuxo)] please don't do it again
(kernelpanicked) no problem, startkeylogger
*tear* It's like christmas for UNIX geeks has come early
Not only does it work... (Score:2, Informative)
Frak.
In summary, be careful with this.
And now, ladies and gentlemen... (Score:5, Funny)
<n00b>startkeylogger
* n00b has Quit IRC (G-Lined - Banned from AustNet: This address has been used for deliberately try to disconnect others)
<user1>ROFLMAO!
<user2>Dude, stop doing that
<user1>Don't worry, he won't do it again
<user2>LOL!
Re:Not only does it work... (Score:2)
Apparently if you try and prank #melbourne they get kinda pissed off about this
I sent a polite email to help@austnet.org apologising but I don't expect to be let back in.
Ah well.
Did we forget... (Score:2, Interesting)
Why not just remove the text from incoming packets, leaving the rest intact?
If the purpose of your software is to keep malware off the computer, why the **** do you need this feature in the first place?
Programming may be tough to learn, but common sense appears to be impossible.
Re:Did we forget... (Score:2, Insightful)
Great work, guys, fucking great.
Reminds me of another IRC trick to have fun with.. (Score:2, Funny)
"Press ALT-F4 now to gain instant access to my ratio free, unlimited download porn fserve"
And then sit back and watch the amount of nicks reduce by less than half.
norton has got to be the least secure virus produc (Score:5, Informative)
Why?
Because you have to run Norton as the administrator, if you want updates. You *used* to be able to get around this, by installing Norton as an admin, then setting up a cron (scheduled tasks
Lame? Yes, it is. Their techincal support staff find nothing odd about this, and their sales staff try to sell you an inordinately expensive "professional" product which does allow you to run as a normal user, and have updates occur without logging in as admin every 5 minutes. This is just sad. Every XP user should be running as a non-admin. Norton should be *encouraging* that.
I thought these people were trying to *help* security? The last thing I want anyone to do, is run as administrator on an XP box. Sure, you don't get the same level of security that you do under Linux, when one runs as a normal user, but it's still *very preferable* to run as a non-admin user for your day to day tasks, under XP.
There are so many "business" class products that don't understand such a simple concept. I've seen income tax software that must be run as the admin user under XP. Anti-virus software though??! That's just absurd.
We did this too. (Score:2)
The catch, of course, was it worked TOO
Lost in translation (Score:2, Insightful)
Hell, I'm using a free antivirus because it gets right to the point. No pretty 3-inch wide tray monitor, no HTMLized interface (that crashes the HTML engine half the time), nothing
I tried it (Score:2)
strike
I can't decide what's more interesting... (Score:3, Interesting)
I mean, if Norton is aware of a keylogger worm on IRC, wouldn't it make more sense to have Norton Internet Security kill the keylogger process or block the data the keylogger tries to send out? It is a firewall after all. Or, for Norton Antivirus to identify the keylogger and remove it as part of removing the worm. Would it not be part of the worm, and therefore something Norton is supposed to be removing, as part of the program's specified function?
If stopping access to a service is how one should protect themselves from threats on it, maybe Norton should just block all TCP/IP traffic to prevent viruses, worms, and identity theft.
Good thing the keylogger trigger wasn't "hello everyone".
Re:Impressive (Score:3, Funny)
Re:Impressive (Score:2)
Re:Impressive (Score:3, Insightful)
Re:Impressive (Score:2)
IM = one to one
IRC = one to many
(Disclaimer: Yes, I know MSN et al can do multiperson chats, but IRC is much, much better at it, with fine-tuned controls and access levels.)
Re:Impressive (Score:3, Informative)
thats just for starters
Re:time for a nick change (Score:3, Insightful)
I've confirmed on my network that the following will kick some serious ass:
- simply saying it in a channel
- adding it to the beginning of a topic (meaning if a user simply does a
- changing your name to it
- Quit messages
It may also cause issues in PM's, notices, but have yet to confirm with that.
We ended up just adding text filters for any spot where the text can occur, something like this (since we're on UnrealIRC):
Re:Does it work with other programs? (Score:3, Informative)
Re:Does it work with other programs? (Score:2)
But I guess that would just time out...
Re:Does it work with other programs? (Score:2)
With WoW too (Score:3, Insightful)
Re:Does it work with other programs? (Score:3, Funny)
Re:Doesn't work most of the time from what i've se (Score:2)
I've found some. (Score:2)
I've even found some that are only exploitable if the IRC server sends it directly to the user. However, most filters wont check for the newline before the IRC message, so simply sending someone a m
apology (Score:2)
Oops, my bad.
Anyway, welcome to our side. As a convert, you will be appointed to the Jannisary guard of Slashdot, and equipped with a +5 Wand of Windows Bashing (Special powers: Reloads upon posting comment).
Re:Peter Norton was my savior (Score:2)
AT home I use Su
Re:Let me get this straight... (Score:2)
Think about it. It's like having your A/V software wipe your browser cache clear when you bring up a webpage with the word "klez" or "zobot" in the page.