Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: w00w00 on AIM Filter (Backdoors & SpyWare)
From: Chad Schieken <cschieken () lucent com>
Date: Wed, 09 Jan 2002 08:01:45 -0500
Looks like we have a new form of attack. It seems akin the types of "semantic" attacks that Bruce Schneier talked about. Here the attacker publishes a vulnerability in a piece of widely used software, and points to another piece of software as the "solution". The solution contains the exploit code.
ouch! I got bit by this one (well, I downloaded installed and attempted to use AIM Filter). I was proud of myself for quickly implementing the "fix". Ugh. 

Exactly how does a firewall protect against this type of attack?




At 03:43 PM 1/8/2002, you wrote:

BugTraq readership:

    It has recently come to our attention that AIM Filter, which we
    recommended as an appropriate temporary solution for the AIM
    buffer overflows we published, actually contains backdoors and
    spyware.  This became obvious when the source was released on
    January 5th, 2002.

    At the time, Robbie Saunders' AIM Filter seemed like a nice
    temporary solution.  Unfortunately, it instead produces cash-paid
    click-throughs over time intervals and contains backdoor code
    combined with basic obfuscation to divulge system information and
    launch several web browsers to porn sites. We only took the time
    to verify that it blocked the attack, since an analysis of AIM
    filter wasn't our priority. Mea culpa.

    In the meantime, we've cleaned up the AIM Filter code and produced
    a modified version available on our website, and we've removed all
    the backdoors and spyware.  For those of you who are still
    interested in using the software, we strongly recommend you use
    this modified version instead.  You will find it at:

         http://www.w00w00.org/files/w00aimfilter.zip

    We apologize to the security community at large for this mistake.
    However, we think this is a very apt example of why closed-source
    programs can be deadly.  You never know for sure what lurks under
    the hood of a binary executable, and of course U.S. Law (DMCA)
    forbids you from trying to find out.  Once again, disclosure is
    your best friend.

    We urge readers to find out more about the DMCA at
    http://www.anti-dmca.org/.

    We would also like to take this opportunity to provide updated
    reference information on the original AIM vulnerability, which has
    now been assigned a CVE Candidate ID: CVE-2002-0005.


--jordan and the w00w00 Security Team



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]