Home page logo

dailydave logo Dailydave mailing list archives

RE: WMF and the Windows Vulnerability Drought :>
From: "El Nahual" <nahual () g-con org>
Date: Mon, 2 Jan 2006 16:52:24 -0600

Answering within lines:

-----Mensaje original-----
De: H D Moore [mailto:hdm-daily-dave () digitaloffense net] 
Enviado el: Lunes, 02 de Enero de 2006 03:57 p.m.
Para: dailydave () lists immunitysec com
Asunto: Re: [Dailydave] WMF and the Windows Vulnerability Drought :>

On Monday 02 January 2006 15:20, Dave Aitel wrote:
So I'm not sure why Sans Diary has people calling HD Moore
irresponsible, when all he did was point out the brutally obvious: You
can't write reliable network IDS signatures for these client side

From the F-Secure web site:
- http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

"Making such tools publicly available when there's no vendor patch 
available is irresponsible. Plain and simply irresponsible. Everybody 
associated in making and publishing the exploit knows this. And they 
should know better. Moore, A.S, San and FrSIRT: you should know better."

AkA Im pissed off since i didnt discover the shit

The AV industry sure doesn't like it when their products are completely 
inneffective against the biggest exploit of the year. They like it even 
less when you publish a one-byte change that breaks their signatures. I 
can't blame them for being upset, but this public attempt at "scolding" 
is just pathetic.

Short answer: Get a fucking engine that Works
Long answer: Since you are stupid and relay on try to detect every single
fucking variation of malware you should at least try to get some decent
heuristics into your engine and not get fooled by the most stupid virus or
even some not so easy metamorphic viruses, not to say the easiness in which
your memory space can be written and you antivirus can just segfault or even
worse detect to return 0 on your scan routine....

On a somewhat funny note, a poll was added to the ISC web site (by Swa 
Frantzen) that I figured the folks on here would appreciate:

Q: Was the release of the 2nd generation WMF exploit on Dec 31st 2005 
irresponsible ?

39 % =>Yes, I 'd like to see the authors brought to justice
22 % =>Yes, they made the world a worse place
28 % =>No, the bad guys had already equal ammunition
10 % =>No, I believe the ends did justify the means
Total Answers: 797

Yeah bring them to justice, but then tose ppl should uninstall Windows 2000
and XP because god knows Microsoft didnt want to write win2k, nice kernel
bug on NT4 made it ... guess who owes running xp to run those games on them

I contacted the ISC team about this -- introducing the exploit authors as 
people that need to be "brought to justice" is about one step from libel. 
So far, only 39% of ISC's visitors want to see my ass thrown in jail. I 
can't help to think that the wording of that first poll option has 
something to do with it. 

I'll just quote darkspyrit on this one: "Thinking the public exploit is the
only one available is plain stupid". There are massive amounts of excellent
hackers and programmers on all the world someone has to come to the bug.

On the same page as the poll is a nice post from Marcus suggesting that 
people check out the Metasploit Framework. Go figure :-)

The poll can be found online at:
- http://isc.sans.org/

Next poll on the ISC web site, "What limb would you most like to have 
devoured by flesh-eating scarabs?"...


I bet half of this ppl have used your framework, is just that they are too
stupid to put the name with the framework yet ....

Just my 2 cents


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]