Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Users, Start Your Keyloggers

Posted by ryuzaki0 on from the unfurling-the-welcome-mat dept.

An anonymous reader writes "Script kiddies have been taking advantage of intrusion prevention features of Symantec's Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: 'Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).' Makes you wonder what other magic keywords produce unexpected results with Symantec's software."

28 of 313 comments (clear)

  1. +++ATH by petard · · Score: 4, Funny

    People just don't learn very well from past mistakes...

    --
    .sig: file not found
    1. Re:+++ATH by Ungrounded+Lightning · · Score: 4, Informative

      There was also the "ANSI Standard Back Door".

      Some of the early not-too-smart (pre-computer-running-the-show) terminals - notably the "Ann Arbor Terminals" terminal, the DEC VT105, and anything following the ANSI standard for terminal operation which was based on them - had several "soft keys".
        - These could be configured to send any desired sequence of up to maybe 128 or so characters when hit.
        - They were configured by an escape sequence.
        - The escape sequence could be delivered from the far end of the link. (Typically was, by a program setting up the softkey.)
        - The escape sequence setting the key would not produce any visual indication on the screen that this was being done (so as not to corrupt the screen).
        - The key could also be "struck" by another escape sequence, also deliverable from the remote end.
        - Some talk/chat features (think "stone-age instant messaging") did NOT filter out escape sequences in inter-user messages.

      What this meant was that a user (especially one running an early terminal emulator on an early home computer - like an Apple ][) could compose a message to another user that would reprogram one of his softkeys to send anything the malicious user wanted and "hit" it remotely. The time-sharing machine in the middle would interpret the command as if it came from the victim. (This was especially handy if the victim happened to be logged in as the equivalent of a superuser at the time.)

      If the message was a multiple command to disable keysroke echoing at the start and reenable it at the end it might not show up at all. (Or screen control stuff could be included to blank out the echoed command before it could be noticed.)

      There were revs to the terminals to disable this. But installing them made the terminal no longer standards compliant. B-)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    2. Re:+++ATH by Ungrounded+Lightning · · Score: 3, Informative

      (An even more viscous hack was to reprogram the terminal's scrolling window to 1x1 character, change the escape sequence for programming it, and store it as the startup configuration. This killed the terminal - permanently. B-b )

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  2. One thing for sure. by techno-vampire · · Score: 4, Insightful

    This is a very elegant trick; using the victim's anti-virus software as the tool to kick them off the net. Not only that, but you can do this to any number of people who happen to be on that channel and use the affected product. Now, if we could only get the skript kiddies to put their minds to something productive...

    --
    Good, inexpensive web hosting
    1. Re:One thing for sure. by NitsujTPU · · Score: 4, Informative

      Dude... what are you talking about? Script kiddies are called script kiddies because they steal other people's ideas. They aren't actually coming up with anything.

      It wasn't a script kiddie who figured out that this works, it was a "hacker" (or a "cracker").

      It's not like some kid spent hours figuring this out. These kids were told by someone who figured it out, who would not be referred to as a script kiddie.

    2. Re:One thing for sure. by mboverload · · Score: 4, Funny

      With all due respect to people who use Norton,

      Only script kiddies use Norton. Seriously.

  3. Yep, it works... by xx_toran_xx · · Score: 5, Funny

    startkeylogger -- phonex has quit (Read error: Connection reset by peer) -- TomA has quit (Read error: Connection reset by peer) -- something3280 has quit (Read error: Connection reset by peer

    --
    Arrrrrrr
  4. protection? yeah, right by psycho+chic · · Score: 5, Insightful
    and people pay for that crap?

    thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.

    1. Re:protection? yeah, right by Eightyford · · Score: 3, Insightful

      And now Microsoft is selling Antivirus software. Antivirus software to secure their unsecure operating system. I think this type of thing will ultimately force companies to switch back to Unix-like operating systems.

      --
      Religion for nerds. Stuff that really matters
    2. Re:protection? yeah, right by macklin01 · · Score: 4, Informative

      thats a really scary concept, that the very programs we rely on to protect our computers are so incredibly insecure that a couple keystrokes can completely disable our protection. you would think that if we are expected to pay a company to protect us, that they would do their best. this day in age, that is NOT the best they can do. Not a chance.

      From what I understood, the keystrokes weren't disabling the protection, but rather activating it, i.e., shutting down the chat session to prevent it from triggering malware. - Paul

      --
      OpenSource.MathCancer.org: open source comp bio
    3. Re:protection? yeah, right by Mistshadow2k4 · · Score: 3, Informative

      "Exepct that Unix like operating systems aren't immune to many virus attacks too. They just haven't been the focus of attack in any significant way, so the true virus potential isn't know."

      You seem to think *nix OSes are a lot less popular then they are. You do know that Unix was the most popular server OS until this year, right? You do know that when combined with Linux and BSD, the *nix OSes still outnumber Windows servers, don't you? And surely you've heard that Unix has been around about 35 years, haven't you? So.... where are all the Unix viruses? There should be a million of them at least but there aren't. There have been only 13 Unix viruses in computing history. Maybe it has something to do with the fact that it has always been desinged to be secure from the start.

      --
      I dream of a better world... one in which chickens can cross roads without their motives being questioned.
  5. MMORPG affected? by kindbud · · Score: 4, Funny

    If I am dueling with a leet player on WoW, will this work to kick him off the game? Would I be able to gank him before the server times him out?

    --
    Edith Keeler Must Die
    1. Re:MMORPG affected? by QuantumG · · Score: 3, Insightful

      on machine one:

      nc -l -p 6667

      on machine with NPF or NIS on it:

      telnet machineone 6667

      on machine one:

      startkeylogger

      machine two will now disconnect you from machine one and Norton will block you from connecting to machine one again. You have to go into the AutoBlock tab of the Symantec Client Firewall and remove the ip from the list.

      --
      How we know is more important than what we know.
  6. So bad? by mugnyte · · Score: 3, Funny


      While yes a bug, most of my experience on IRC would point towards a benefit if anyone could boot anyone else. The benefit is to those booted, to be clear.

  7. No surprise here... by Radi-0-head · · Score: 4, Informative

    Anyone who uses Symantec software with the expectation that it will actually protect them from anything deserves whatever they get.

    I deal with hundredes of machines monthly, and it's always the NIS/Norton Antivirus machines that have been completely compromised without Norton making a peep.

    US companies suck at malware detection. I've found the eastern European companies to be among the best.

    1. Re:No surprise here... by caudron · · Score: 3, Funny

      US companies suck at malware detection. I've found the eastern European companies to be among the best.

      Sure, the author is always gonna best know how to uninstall his app.

      --
      -Tom
  8. Um. by daeg · · Score: 3, Interesting

    I hate Norton products. They are incredibly bloated, offer no technical documentation, and literally take over a system once installed. Have you ever tried to uninstall a Norton product? They are as bad as the viruses, worms, and trojans they claim to protect against.

  9. Doesn't affect me by GAATTC · · Score: 5, Funny

    I have Symantec's Norton Firewall and when I type startkeylogge

  10. But they just did... by TCQuad · · Score: 3, Funny

    Now, if we could only get the skript kiddies to put their minds to something productive...

    Since IRC is mostly a time-killer, wouldn't something that knocks people off of it be considered productive?

  11. Best Part of This + Fix for Problem by The+MAZZTer · · Score: 4, Informative

    It doesn't have to be spoken text. If an incoming packet is caught by norton firewall with a keyword in it, the connection is closed reguardless of where it is.

    Which means you can change your nick to one of the words.

    Or even more devlishly, put it in your ident where noone will notice it. Your speech will be so powerful it will knock people off the internet. Or is it your breath...

    PS: Another keyword that works is "stopspy", which is more useful for idents. I don't normally take advantage of stuff like this but it's too good to pass up.

    To redeem myself, I will mention that you can work around this by turning off some filter called "Spybot keylogger" or something under advanced options.

  12. Re:time for a nick change by Deltaanime · · Score: 3, Insightful

    Yep, that works quite nicely.

    I've confirmed on my network that the following will kick some serious ass:

    - simply saying it in a channel
    - adding it to the beginning of a topic (meaning if a user simply does a /list, or /join's, they'll get kicked out)
    - changing your name to it
    - Quit messages

    It may also cause issues in PM's, notices, but have yet to confirm with that.

    We ended up just adding text filters for any spot where the text can occur, something like this (since we're on UnrealIRC):

    /spamfilter add cpnNPqat block - Norton_Exploit (start|stop)keylogger

    Something to that affect.

    It was a real annoyance on our network, ended up kicking some people out over it.

    ~Francisco

  13. Some servers filter these already by cojsl · · Score: 3, Informative

    I get "Message blocked: Exploiting Norton bug" on my favorite channel if I type in either command

  14. Re:Does it work with other programs? by Anonymous Coward · · Score: 3, Funny

    I have the Symantec suite installed, and when I type "startkeylogger

  15. Re:Impressive by DeadChobi · · Score: 3, Insightful

    I hang out with friends from high school on IRC. MSN and AIM suck for that, because you have to initiate contact. On IRC, all you do is type something, and all your friends see it. If they want to respond, they can. With modern IM's, when you initiate contact it's at the other person's inconvenience. You can leave a copy of XiRCON or mIRC minimized and idle 24/7. If you want to talk to people, just pop it up and you've got a convenient-for-both-parties instant line of communication. This is in contrast to instant messengers, which steal focus and make annoying sounds.

    --
    SRSLY.
  16. And now, ladies and gentlemen... by Spy+der+Mann · · Score: 5, Funny

    Type "start" and "key" and "logger" together and something funny happens!
    <n00b>startkeylogger
    * n00b has Quit IRC (G-Lined - Banned from AustNet: This address has been used for deliberately try to disconnect others)
    <user1>ROFLMAO!
    <user2>Dude, stop doing that
    <user1>Don't worry, he won't do it again
    <user2>LOL!

  17. norton has got to be the least secure virus produc by Blymie · · Score: 4, Informative


    Why?

    Because you have to run Norton as the administrator, if you want updates. You *used* to be able to get around this, by installing Norton as an admin, then setting up a cron (scheduled tasks :P ) to do the updates. However, Norton actually *disabled* the ability to do this in its latest versions. For the last year or so, you MUST run Norton as the administrator to get updates. Put another way, you have to log in once a day as administrator, or you never receive virus updates.

    Lame? Yes, it is. Their techincal support staff find nothing odd about this, and their sales staff try to sell you an inordinately expensive "professional" product which does allow you to run as a normal user, and have updates occur without logging in as admin every 5 minutes. This is just sad. Every XP user should be running as a non-admin. Norton should be *encouraging* that.

    I thought these people were trying to *help* security? The last thing I want anyone to do, is run as administrator on an XP box. Sure, you don't get the same level of security that you do under Linux, when one runs as a normal user, but it's still *very preferable* to run as a non-admin user for your day to day tasks, under XP.

    There are so many "business" class products that don't understand such a simple concept. I've seen income tax software that must be run as the admin user under XP. Anti-virus software though??! That's just absurd.

  18. Bitcom too by Reziac · · Score: 4, Funny

    Remember the old Bitcom for DOS? if you were reading messages on a BBS, and if in one of those messages you encountered the phrase "NO CARRIER", Bitcom would helpfully hang up the modem!

    --
    ~REZ~ #43301. Who'd fake being me anyway?
  19. Workaround for that dumb +++ problem by Myria · · Score: 4, Insightful

    There actually was a simple workaround for that problem that almost all modems support. The standard command ATS2= sets which ASCII value is your modem escape code: the default value 33 is +.

    However, the value 255 was special: if you do ATS2=255, the +++ escape feature is disabled entirely. In this mode, you hang up by dropping the "terminal ready" bit on the serial port - something that can't be faked like +++. This has the disadvantage that you can't switch to command mode without hanging up, but that feature was rarely used (especially because data sent by the other side while in command mode gets dropped).

    This feature was frequently used by BBSs to stop this kind of thing from happening (IE, people doing +++ATH ATDT911).

    Meow,

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager