Slashdot Mirror
Symantec Users, Start Your Keyloggers
An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."
People just don't learn very well from past mistakes...
.sig: file not found
This is a very elegant trick; using the victim's anti-virus software as the tool to kick them off the net. Not only that, but you can do this to any number of people who happen to be on that channel and use the affected product. Now, if we could only get the skript kiddies to put their minds to something productive...
Good, inexpensive web hosting
startkeylogger -- phonex has quit (Read error: Connection reset by peer) -- TomA has quit (Read error: Connection reset by peer) -- something3280 has quit (Read error: Connection reset by peer
Arrrrrrr
thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.
If I am dueling with a leet player on WoW, will this work to kick him off the game? Would I be able to gank him before the server times him out?
Edith Keeler Must Die
While yes a bug, most of my experience on IRC would point towards a benefit if anyone could boot anyone else. The benefit is to those booted, to be clear.
Anyone who uses Symantec software with the expectation that it will actually protect them from anything deserves whatever they get.
I deal with hundredes of machines monthly, and it's always the NIS/Norton Antivirus machines that have been completely compromised without Norton making a peep.
US companies suck at malware detection. I've found the eastern European companies to be among the best.
I hate Norton products. They are incredibly bloated, offer no technical documentation, and literally take over a system once installed. Have you ever tried to uninstall a Norton product? They are as bad as the viruses, worms, and trojans they claim to protect against.
I have Symantec's Norton Firewall and when I type startkeylogge
Now, if we could only get the skript kiddies to put their minds to something productive...
Since IRC is mostly a time-killer, wouldn't something that knocks people off of it be considered productive?
It doesn't have to be spoken text. If an incoming packet is caught by norton firewall with a keyword in it, the connection is closed reguardless of where it is.
Which means you can change your nick to one of the words.
Or even more devlishly, put it in your ident where noone will notice it. Your speech will be so powerful it will knock people off the internet. Or is it your breath...
PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.
To redeem myself, I will mention that you can work around this by turning off some filter called "Spybot keylogger" or something under advanced options.
OTOH if you want to quickly get ahold of a random asshole, and you don't live in NYC, it's really the only solution.
Literalism isn't a form of humor, it's you being irritating.
http://www.bash.org/?13213
Fun keyword filtering.
XML is like violence. If it doesn't solve the problem, use more.
Yep, that works quite nicely.
/list, or /join's, they'll get kicked out)
/spamfilter add cpnNPqat block - Norton_Exploit (start|stop)keylogger
I've confirmed on my network that the following will kick some serious ass:
- simply saying it in a channel
- adding it to the beginning of a topic (meaning if a user simply does a
- changing your name to it
- Quit messages
It may also cause issues in PM's, notices, but have yet to confirm with that.
We ended up just adding text filters for any spot where the text can occur, something like this (since we're on UnrealIRC):
Something to that affect.
It was a real annoyance on our network, ended up kicking some people out over it.
~Francisco
Not any program. The software only monitors IRC communication because that's where the commands to the zombies are sent. mIRC works through IRC, hence it causes the thing to be tripped.
Stupid slashdot! Great, now its public. I've had so much fun the last 2 weeks joining channels like 'teenlink69' and 'cyberz' on big networks and using the command.
Its good times watching 10-15 people drop at a time in the huge channels.
But now the fun will quickly disapear, thanks to slashdot. DOH!
I saw this happening on #wikipedia a day or three ago. Someone with user/hostname like startkeylogger@....gnauk.co.uk showed up, and bang, a Norton user dropped off line.
I really couldn't believe any people would implement this sort of silliness in firewall/antivirus in this day and age. This was a "feature" of some censorware packages a few years back, I really hoped the folks would have wisened up. It's silly if you try to censor stuff, it's twice as silly if it goes under the guise of computer security.
I get "Message blocked: Exploiting Norton bug" on my favorite channel if I type in either command
Try to join #2600 on irc.2600.net before reading this article. Shit, probably too late.
I have the Symantec suite installed, and when I type "startkeylogger
I hang out with friends from high school on IRC. MSN and AIM suck for that, because you have to initiate contact. On IRC, all you do is type something, and all your friends see it. If they want to respond, they can. With modern IM's, when you initiate contact it's at the other person's inconvenience. You can leave a copy of XiRCON or mIRC minimized and idle 24/7. If you want to talk to people, just pop it up and you've got a convenient-for-both-parties instant line of communication. This is in contrast to instant messengers, which steal focus and make annoying sounds.
SRSLY.
I never thought I would intentionally go into a room full of Windows users on IRC, but I'm soooo all over this
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
Shouldn't norton know if the machine is infected and not terminate the connection when the malware isn't present?
Badass Resumes
For a company that purports to "improve" your computer's security, Symantec clearly doesn't have much by way of policy on what actions can be taken based on untrusted data.
This is not the first "personal firewall" product to be attackable, either. BlackICE has had its time up on Slashdot, as well as other packages.
"Personal firewalls" do little to improve computer security, and do add overhead, complexity, and their own collection of security problems.
The real fix is to not start servers that you don't trust to be solid listening for traffic from your computer. Microsoft does (irritatingly) have a collection of servers running by default (unless SP2 disabled or blocked access to them -- dunno).
Worrying about personal firewalls, trying to treat NAT as a "security enhancer", etc...it's all crazy. Just don't open the holes in the computer in the first place and you don't have to worry about it.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
(kernelpanicked) startkeylogger
[quux(n=bryan@pdpc/supporter/sustaining/quuxo)] please don't do it again
(kernelpanicked) no problem, startkeylogger
*tear* It's like christmas for UNIX geeks has come early
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
thats just for starters
once you go slack, you never go back
*** (G) Banned from AustNet: This address has been used for deliberately try to disconnect others. (CET0603030304).
Frak.
In summary, be careful with this.
A couple of things of note I haven't seen addressed:
Why not just remove the text from incoming packets, leaving the rest intact?
If the purpose of your software is to keep malware off the computer, why the **** do you need this feature in the first place?
Programming may be tough to learn, but common sense appears to be impossible.
Type "start" and "key" and "logger" together and something funny happens!
<n00b>startkeylogger
* n00b has Quit IRC (G-Lined - Banned from AustNet: This address has been used for deliberately try to disconnect others)
<user1>ROFLMAO!
<user2>Dude, stop doing that
<user1>Don't worry, he won't do it again
<user2>LOL!
How about if you put one of the keywords in the channel name, how would affected machines behave on getting a listing or joining the channel?
When I was bored on IRC sometimes I used to visit a random, well populated channel I would simply type
"Press ALT-F4 now to gain instant access to my ratio free, unlimited download porn fserve"
And then sit back and watch the amount of nicks reduce by less than half.
Why?
Because you have to run Norton as the administrator, if you want updates. You *used* to be able to get around this, by installing Norton as an admin, then setting up a cron (scheduled tasks
Lame? Yes, it is. Their techincal support staff find nothing odd about this, and their sales staff try to sell you an inordinately expensive "professional" product which does allow you to run as a normal user, and have updates occur without logging in as admin every 5 minutes. This is just sad. Every XP user should be running as a non-admin. Norton should be *encouraging* that.
I thought these people were trying to *help* security? The last thing I want anyone to do, is run as administrator on an XP box. Sure, you don't get the same level of security that you do under Linux, when one runs as a normal user, but it's still *very preferable* to run as a non-admin user for your day to day tasks, under XP.
There are so many "business" class products that don't understand such a simple concept. I've seen income tax software that must be run as the admin user under XP. Anti-virus software though??! That's just absurd.
Remember the old Bitcom for DOS? if you were reading messages on a BBS, and if in one of those messages you encountered the phrase "NO CARRIER", Bitcom would helpfully hang up the modem!
~REZ~ #43301. Who'd fake being me anyway?
The sad thing about this is Norton users will blame everything but their software. In reality, it's Norton's software that sucks, and has sucked since the dawn of Win95. The last product that still commands respect in my nostalgia is Norton Utilities 8.0 for DOS. Every Windows-based Norton app has been prettyfied useless crap.
Hell, I'm using a free antivirus because it gets right to the point. No pretty 3-inch wide tray monitor, no HTMLized interface (that crashes the HTML engine half the time), nothing but virus scanning thank you very much. Firewall ? Comes with Windows, does the job just fine for me. I've got linux for my "important" network in the closet.
-Billco, Fnarg.com
This side effect of Norton's attempt to protect the user, or that Symantec thinks this is the best way to protect the user.
I mean, if Norton is aware of a keylogger worm on IRC, wouldn't it make more sense to have Norton Internet Security kill the keylogger process or block the data the keylogger tries to send out? It is a firewall after all. Or, for Norton Antivirus to identify the keylogger and remove it as part of removing the worm. Would it not be part of the worm, and therefore something Norton is supposed to be removing, as part of the program's specified function?
If stopping access to a service is how one should protect themselves from threats on it, maybe Norton should just block all TCP/IP traffic to prevent viruses, worms, and identity theft.
Good thing the keylogger trigger wasn't "hello everyone".
There actually was a simple workaround for that problem that almost all modems support. The standard command ATS2= sets which ASCII value is your modem escape code: the default value 33 is +.
However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).
This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).
Meow,
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I don't know if it's the same string (probably not), but Norton was idiotic enough to forbid WoW from accessing the network any more after it detected something in the stream of data that looked like an SQL Server exploit. Or something like that, I don't remember the exact message, since I was busy swearing when that happened. The fact that it was a different program, on a different port, _and_ the direction in which the "exploit" was transmitted was all wrong... well, that didn't stop Norton from helpfully trying to protect me.
Also it didn't stop there, since thereafter their firewall was automatically configured to forbid access to the WoW client.
Frankly, by now I'm thinking most of these "security products" are:
1. unnecessary, if you have some clue, use a firewall, keep your system patched, and have enough brains to read pop-up messages before clicking "yes". None has yet detected a _real_ virus on my computers yet.
2. about as effective as a condom with a hole in it when you actually need them: they just give you a false sense of security while you're getting screwed. The one time when I did intentionally play with a virus, Norton _didn't_ detect it. (Yes, it was intentional. I actually planned to let a system get virused while I download Sygate Personal Firewall, then reformat and reinstall.)
Worse yet, there are plenty of viruses which disable them anyway. So if you did get a new virus (e.g., by not obeying point 1) before Symantec updates their signatures, chances are it will disable your antivirus anyway. So basically the only way to be sure you still have protection is... to not get virused in the first place, without its help. Does it sound superfluous yet?
Worse yet, these "security products" lately have more exploits of their own than Windows has, basically just creating extra oportunities to get pwn3d by a script-kiddie. I know of at least one virus which did already spread through an overflow in a security product.
3. Perhaps more importantly: good only for slowing the system down and creating annoying false positives.
E.g., the WoW disconnect described above. (Though it would also fit in the "creating a new exploit" category described above.)
E.g., I haven't had one yet which didn't pick on some innocent program on account that some bytes in it looked like they _could_ do something that _could_ be dangerous.
E.g., heck, forget disconnecting from IRC for keylogger commands. At least one was idiotic enough to insist on deleting mIRC (both installed _and_ the installer) off my computer, because they thought IRC was a risk. And yes, you've read that right. Not because of detecting some possible problem in code, not because of knowing of an exploit in that particular mIRC version, etc. Just because of a retarded biased judgment call that mIRC is dangerous, and they wanted to protect me from that. (As a side-note: then why not also delete IE, if they're at deleting programs just because they think they _could_ be dangerous? I dare say it's got a worse track record than mIRC.)
Etc.
4. and even more importantly, most are worse than a virus in and by themselves. I don't think a virus or trojan even exists yet that slows down a computer worse than most of these "security solutions." You'd have to get several layers of them before a modest computer starts to crawl the way it does with Norton or McAffee on it.
A polar bear is a cartesian bear after a coordinate transform.
Yep, I've been hit before by the exact same scenario you describe, although probably with a different string.
So I'm playing WoW happily and suddenly I'm completely lagged (you know, those time-bubbles where you can run around, but not cast spells or receive any update from the server) and then disconnected. Better yet, when I try to reconnect, I can't.
Turns out that something in that stream of binary data between the WoW server and the WoW client looked to Norton suspiciously like some old SQL Server exploit. Never mind that it wasn't even talking to the right program, on the right port, or in the right direction. So it helpfully took me offline, for my own good.
Now as I've said, I have no clue exactly _what_ sequence of bytes triggered it there. Presumably something more SQL-like than this one. But I wouldn't be surprised if someone took the time to figure it out and broadcast it in a battleground match.
A polar bear is a cartesian bear after a coordinate transform.