[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Backdoor not recognized by Kaspersky



>>if you can read the users login credentials to his corporate mailserver you 
>>are far
better off.

Rather casually put. How would you do this? I've heard how Swen asks the user 
for their
credentials, but if you know a general crack for obtaining them I'd say that's 
news.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer@xxxxxxxxxxxxx 

-----Original Message-----
From: Thor Larholm [mailto:thor@xxxxxxxx] 
Sent: Wednesday, March 03, 2004 6:47 PM
To: Larry Seltzer; Mike Barushok; full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky


SMTP authentication will not do much to stop viruses from spreading. Some 
viruses are
already moving away from just implementing their own SMTP server to reusing 
whatever
SMTP credentials you have on your machine. Having your own SMTP engine is a nice
fallback solution just in case, but if you can read the users login credentials 
to his
corporate mailserver you are far better off.

Imagine us all implementing SPF, Caller ID or Domain Keys - what would happen? 
We would
all have to use a mail server that has implemented one of these 'solutions'. 
Naturally,
virus writers would then just reuse your SMTP login credentials to spew their 
virus
through that same MTA.

Another quick workaround to SPF, Caller ID and Domain Keys has alredy been 
implemented
by spammers for a year or so. The only premise behind S/C/D is that you are 
trusted if
you have access to a DNS server. Spammers are using compromised machines not 
only as
SMTP servers, but also web servers and DNS servers. The end result is that 
spammers have
already completely circumvented all three solutions way before they were ever
implemented.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix
<http://www.qwik-fix.net> 

-----Original Message-----
From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx] 
Sent: Wednesday, March 03, 2004 1:38 PM
To: 'Mike Barushok'; full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky


>>I feel the need to address the problem from an ISP perspective, since
>>the corporate
and government and other institutional persective seems to give different 
answers. And
because the ISP end user problem is still the majority of the reservoir for 
viruses (and
spam proxy/relay/trojans).

I really feel for you guys. As I've argued in another thread, I think SMTP
authentication will likely cut this stuff down to a trickle compared to the 
current
volume. As an ISP, how big a problem would you have with that. An even better 
question:
Would you have a problem implementing SPF, Caller ID and Domain Keys (i.e. all 
3)? It
gets to the same issue of changing practices for your users: at some point you 
have to
either bounce or segregate mail that doesn't authenticate. 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html