Info on L0phtCrack
Joakim von Braun
I do not have an approval to do this, but I felt I had to share this mail
with everyone i alt.comp.virus.
Joakim
>Approved-By: Russ....@RC.ON.CA
>Date: Thu, 16 Dec 1999 21:16:53 -0500
>Reply-To: Weld Pond <we...@L0PHT.COM>
>Sender: Windows NTBugtraq Mailing List <NTBU...@LISTSERV.NTBUGTRAQ.COM>
>From: Weld Pond <we...@L0PHT.COM>
>Subject: Re: Alert: W32.NewApt.Worm being sent to NTBugtraq subscribers
>Comments: To: Russ <Russ....@RC.ON.CA>
>To: NTBU...@LISTSERV.NTBUGTRAQ.COM
>
>OK, you said not to reply but I have further proof that the antivirus
>companies are just copying each others data without thinking about it.
>
>A funny thing happened on Nov 19, 1999. A l0phtcrack customer emailed our
>support address to complain that Trend Micro's antivirus program was
>detecting a "virus" in the l0phtcrack 2.52 executable file. It detected
>something called the TROJ_L0PHTCRACK virus. The customer wanted to make
>sure they were not infected. Trend Micro had included a TROJ_L0PHTCRACK
>signature in their version 610 signature file.
>
>Then on Dec 16 we got another message from a customer complaining that
>NAI's VirusScan with the version 4056 signature file was now detecting the
>"Lophtcrack" (sic) virus. The program actually pops up a message box
>stating "The file l0phtcrack.XXX on YYY is infected with the virus
>Lophtcrack. Unable to clean file."
>
>L0phtCrack was first released in 1997 and the latest version was released
>in Jan. 1999. Is it a coincidence that both AV vendors are just getting
>around to deciding L0phtCrack is a virus/trojan? I don't think so. My
>hypothesis is someone at Trend Micro decided it was a virus and NAI
>blindly copied their data. But who really knows.
>
>L0phtCrack is obviously neither a trojan or virus. These AV messages are
>erroneous.
>
>-weld
>
kurt wismer
> Sisters and Brothers,
>
> I do not have an approval to do this, but I felt I had to share this mail
> with everyone i alt.comp.virus.
good way to get some kind of answer, certainly...
[snip]
> >Sender: Windows NTBugtraq Mailing List <NTBU...@LISTSERV.NTBUGTRAQ.COM>
[snip]
> >support address to complain that Trend Micro's antivirus program was
> >detecting a "virus" in the l0phtcrack 2.52 executable file. It detected
> >something called the TROJ_L0PHTCRACK virus. The customer wanted to make
[snip]
> >Then on Dec 16 we got another message from a customer complaining that
> >NAI's VirusScan with the version 4056 signature file was now detecting the
> >"Lophtcrack" (sic) virus. The program actually pops up a message box
> >stating "The file l0phtcrack.XXX on YYY is infected with the virus
> >Lophtcrack. Unable to clean file."
> >
> >L0phtCrack was first released in 1997 and the latest version was released
> >in Jan. 1999. Is it a coincidence that both AV vendors are just getting
> >around to deciding L0phtCrack is a virus/trojan? I don't think so. My
> >hypothesis is someone at Trend Micro decided it was a virus and NAI
> >blindly copied their data. But who really knows.
> >
> >L0phtCrack is obviously neither a trojan or virus. These AV messages are
> >erroneous.
they are erroneous in so far as it's not a virus and they say "virus"
whenever they alert on anything - but as far as it not being a trojan,
that's a little more debatable...
some people would like to believe bo2k and netbus pro are not trojans, but
so long as they can be run/installed invisibly (whether by design or by
design flaw) they will be detected as such...
--
"when i ran i didn't feel like a runaway
when i escaped i didn't feel like i got away
there's more to living than only surviving
maybe i'm not there, but i'm still trying"
Dalton
but
so long as they can be run/installed invisibly (whether by design or by
design flaw) they will be detected as such...<<<<
Kurt,
L0pht crack does not install invisibly hence it differs from
netbus/etc.If any body cares to look at Microsofts page they will see that
M$ recomend the use of a "password testing" tool such as L0pth crack to test
system security..
Regards Dalt
Andreas Mueller
like a trojan or keygrabber in anyway. It is also non-viral. Now... because
it allows the user to audit a network's security does not make it "evil".
Whats next, they mark Adaptec Easy CD Creator software as a virus because it
is possible to make illegal copies with it?
Comon Folks' Get a grip.
-Andreas
"kurt wismer" <g9k...@cdf.toronto.edu> wrote in message
news:Pine.GSO.3.95.991219115231.9663A-100000@eddie...
> some people would like to believe bo2k and netbus pro are not trojans, but
> so long as they can be run/installed invisibly (whether by design or by
> design flaw) they will be detected as such...
>
Paul Walker
>some people would like to believe bo2k and netbus pro are not trojans, but
>so long as they can be run/installed invisibly (whether by design or by
>design flaw) they will be detected as such...
Yep; but this is just a password attacker. It's a somewhat dodgy thing for a
normal user to have on a network, but it's by no means a trojan - it doesn't
pretend to do anything else.
--
Paul
To email me, change nospam to black-sun.
Nick FitzGerald
<joakim.von.braun...@d212-151-178-14.swipnet.se>...
[Posted and Emailed to weld pond, as I suspect he does
not read alt.comp.virus]
> I do not have an approval to do this, but I felt I had to share this mail
> with everyone i alt.comp.virus.
>
> Joakim
>
> >Approved-By: Russ....@RC.ON.CA
> >Date: Thu, 16 Dec 1999 21:16:53 -0500
> >Reply-To: Weld Pond <we...@L0PHT.COM>
> >Sender: Windows NTBugtraq Mailing List
<NTBU...@LISTSERV.NTBUGTRAQ.COM>
> >From: Weld Pond <we...@L0PHT.COM>
> >Subject: Re: Alert: W32.NewApt.Worm being sent to NTBugtraq
subscribers
> >Comments: To: Russ <Russ....@RC.ON.CA>
> >To: NTBU...@LISTSERV.NTBUGTRAQ.COM
> >
> >OK, you said not to reply but I have further proof that the antivirus
> >companies are just copying each others data without thinking about it.
<<snip story of near-coincident addition of detection of
weld pond's excellent L0phtCrack to two scanners>>
The phrasing of weld pond's "accusation" shows a dire
lack of understanding of modern antivirus techniques on
his part, though that is not surprising as, in my
experience, that holds for most everybody who is not
very close to, or part of, the antivirus industry.
In this case (Trend and NAI products), I strongly doubt
that one company could have "copied the other's data".
The reason is that the best insider information tells us
that the two products use quite different detection
technologies. Trend's product historically has done a
great deal of "grunt scanning", looking for "detection
strings" anywhere within a file (or within file format-
meaningful "sections" of a file). The Dr Solomon's
scanning engine at the heart of v4.x NAI products simply
does not provide for that kind of detection mechanism,
requiring offset or other forms of "positioning" info if
a simple scan-string search is required as part of one
of its detection drivers.
> >L0phtCrack was first released in 1997 and the latest version was
released
> >in Jan. 1999. Is it a coincidence that both AV vendors are just getting
> >around to deciding L0phtCrack is a virus/trojan? I don't think so. My
> >hypothesis is someone at Trend Micro decided it was a virus and NAI
> >blindly copied their data. But who really knows.
There is a simpler, and *much* more likely explanation
of this near coincident addition of detection of
L0phtCrack to both products. You see, many people use
more than one AV product. The reasons for this are
complex and varied, but it is almost common to see two
(or more) products licensed within one company. Now,
let's imagine that Trend decided to add detection of
L0phtCrack because a number of its clients asked for
it. (Why would they? Maybe they do not want anyone
other than their admins from running password testing/
cracking programs? Seems reasonable to me...)
Whatever, Trend obliged by adding detection of (at
least one of) the L0phtCrack executables. Consistent
with the perceived need of its client and its internal
naming conventions, Trend decided to class L0phtCrack
as a Trojan -- this is "obvious" from the name
TROJ_L0PHTCRACK that weld pond reports from a L0phtCrack
user. Trend's scanner, as with several others, suffers
from terminally poor design in its reporting code, such
that it always reports something like:
<filename> is infected with the <detection name> virus
Thus, we get a L0phtCrack and Trend user concerned that
L0phtCrack is reported by Trend as "infected with the
TROJ_L0PHTCRACK virus". I'd suggest that the user and
weld pond complain to Trend for this grossly misleading,
potentially confusing and worry-imparting, and (at least
in weld pond's case) possibly defamatory, statement.
OK -- so why did NAI's product start detecting this a
month or so later?
First, I'll point out that NAI releases weekly updates
of its DAT files. (weld pond's use of the term
"signature files" is also possibly indicative of his
lack of understanding of the finer points of virus
detection. Viruses do not have "signatures" and the
term has been heavily deprecated by antivirus
researchers for a very long time, though unfortunately
the marketing and publicity people seem as attached to
the concept as the rest of the non-researcher group...)
Thus, if NAI was simply into "stealing" its competitors
"signatures" -- as is heavily implied but never quite
stated so bluntly -- it could have shipped detection of
L0phtCrack with a much shorter delay than reported.
Anyway, *why* did NAI also detect L0phtCrack? There
are two possibilities here. As I've posited in Trend's
case, it may be that a "sufficient number" of NAI
clients requested it. Another possibility which we see
all the time in the AV industry is that some NAI
clients who also use Trend scanners noticed that Trend
was detecting something where NAI's scanners were not.
When this happens and the non-detecting vendor is
queried as to why they do not detect something another
AV vendor does, the usual response is that tech support
asks for a copy of the "something" and the non-
detecting vendors analysts look at it. In cases where
a new virus or worm is found, it is straightforward --
detection of it is added to the product.
Unfortunately, users become "upset" about all manner of
other things too -- things that are clearly not self-
replicating, but which can easily be seen to be "not
necessarily desirable". Common examples of these are
the so-called "joke programs" that many AV vendors
detect and "Trojan Horse" programs. By definition,
Trojans require a judgment call -- what exactly is
"undesirable" program behaviour? -- there are clearly
"situational" aspects, but how can a scanner make those
calls at run-time? It can't, so it becomes a build-
time decision. This probably (hopefully!) seems very
straightforward to those reading this message, but the
reality is that way too many users of AV software do not
understand that one person's Trojan can be another's
most useful utility. Unfortunately, the tech support
departments of the AV developers bear the brunt of this
particular ignorance, so much history has "taught" many
developers that the best thing to do is detect all the
same Trojans as any of your competitors (at least, that
is, if there is a modest chance that your users will
come across it).
It would be nice if this were not that case and I have
suggested a mechanism whereby the AVers could avoid this
stupidity altogether, making it purely a matter of
internal policy on a site-by-site basis.
> >L0phtCrack is obviously neither a trojan ...
I cannot accept that. Given that Trojans are (loosely
-- we do not want to get into definition debates over
this, as whichever way you cut "Trojan" there is always
room for an interpretative element) "undesirable
programs", I'm sure that you will find system admins
who find L0phtCrack "undesirable in the hands of
ordinary users". You can debate them till the cows
come home, but you will not convince some of them.
Thus, *for those people* it is a Trojan. (FWIW, I
disagree with the position that L0phtCrack is a local
security threat -- if you have good security policies
and procedures in place, L0phtCrack should not cause you
any concerns. However, I can still see an argument
whereby it is something a concerned admin would want to
be alerted to if found -- the possibility that someone
inside your organization is doing something undesirable
with/to some other organization, for example, but we
digress.)
> ... or virus. These AV messages are
> >erroneous.
On that we agree. The NAI scanner has the same brain-
dead design, as regards reporting detection incidents,
as the Trend scanner. In this case, I'd suggest that
the user and weld pond complain to NAI for this grossly
misleading, potentially confusing and worry-imparting,
and (at least in weld pond's case) possibly defamatory,
statement.
--
Nick FitzGerald
kurt wismer
> >>>>>some people would like to believe bo2k and netbus pro are not trojans,
> but
> so long as they can be run/installed invisibly (whether by design or by
> design flaw) they will be detected as such...<<<<
>
> Kurt,
> L0pht crack does not install invisibly hence it differs from
> netbus/etc.If any body cares to look at Microsofts page they will see that
> M$ recomend the use of a "password testing" tool such as L0pth crack to test
> system security..
i didn't say it was another instance of netbus pro, i was just using that
as an example... i suspect there are many reasons why any given program
might be considered a trojan...
Digit
It is also commercial and if I were L0pht I would be sueing for damage
to trade or something along those lines.
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
http://members.xoom.com/avdisk
Get AVDisk5 (F-Prot) and AVPDisk1 (AVPLite)
-==-==-==-==-==-==-==-==-==-==-==-==-==-==-
Anthony Simek
there has a contract up for bidding and one of the elements of the contract
is that it detect instances of the program from l0pht.
If the sales teams from each company were wanting to guarantee their ability
to bid on possible new business, you can bet that the product would be fast
updated to include detection for this. Remember, systems administrators
KNOW what is bad out there. Many find out the hard way, and wish that the
same old tool would clean up every mess.
Although this newsgroup has enough expert commentary to prove out that l0pht
crack is not a virus, the fact is business rules generally dictate the
liberal definition of virus. I really think it's time the industry as a
whole redefines the word more generally. Perhaps simplest would be, "An
undesirable program."
That is the only legitimate reason I can think of for the simultaneous
addition of l0pht detection to two vendors anti-virus programs.
Tony
"Joakim von Braun" <joakim.v...@risab.se> wrote in message
news:joakim.von.braun...@d212-151-178-14.swipnet.se...
> Sisters and Brothers,
>
> I do not have an approval to do this, but I felt I had to share this mail
> with everyone i alt.comp.virus.
>
> Joakim
>
> >Approved-By: Russ....@RC.ON.CA
> >Date: Thu, 16 Dec 1999 21:16:53 -0500
> >Reply-To: Weld Pond <we...@L0PHT.COM>
> >Sender: Windows NTBugtraq Mailing List <NTBU...@LISTSERV.NTBUGTRAQ.COM>
> >From: Weld Pond <we...@L0PHT.COM>
> >Subject: Re: Alert: W32.NewApt.Worm being sent to NTBugtraq
subscribers
> >Comments: To: Russ <Russ....@RC.ON.CA>
> >To: NTBU...@LISTSERV.NTBUGTRAQ.COM
> >
> >OK, you said not to reply but I have further proof that the antivirus
> >companies are just copying each others data without thinking about it.
> >
> >A funny thing happened on Nov 19, 1999. A l0phtcrack customer emailed
our
> >support address to complain that Trend Micro's antivirus program was
> >detecting a "virus" in the l0phtcrack 2.52 executable file. It detected
> >something called the TROJ_L0PHTCRACK virus. The customer wanted to make
> >sure they were not infected. Trend Micro had included a TROJ_L0PHTCRACK
> >signature in their version 610 signature file.
> >
> >Then on Dec 16 we got another message from a customer complaining that
> >NAI's VirusScan with the version 4056 signature file was now detecting
the
> >"Lophtcrack" (sic) virus. The program actually pops up a message box
> >stating "The file l0phtcrack.XXX on YYY is infected with the virus
> >Lophtcrack. Unable to clean file."
> >
> >L0phtCrack was first released in 1997 and the latest version was released
> >in Jan. 1999. Is it a coincidence that both AV vendors are just getting
> >around to deciding L0phtCrack is a virus/trojan? I don't think so. My
> >hypothesis is someone at Trend Micro decided it was a virus and NAI
> >blindly copied their data. But who really knows.
> >
> >L0phtCrack is obviously neither a trojan or virus. These AV messages are
> >erroneous.
> >
> >-weld
> >
kurt wismer
> LophtCrack is a regular application that runs on a user's system, it is not
> like a trojan or keygrabber in anyway. It is also non-viral. Now... because
> it allows the user to audit a network's security does not make it "evil".
as a matter of fact, yes it is... the "user" should have no such
privaledge...
kurt wismer
> On Sun, 19 Dec 1999 17:02:31 GMT, kurt wismer wrote:
>
> >some people would like to believe bo2k and netbus pro are not trojans, but
> >so long as they can be run/installed invisibly (whether by design or by
> >design flaw) they will be detected as such...
>
> Yep; but this is just a password attacker. It's a somewhat dodgy thing for a
> normal user to have on a network, but it's by no means a trojan - it doesn't
> pretend to do anything else.
paul.... what, exactly, does bo2k pretend to do? nothing... that doesn't
mean it's not a trojan... trojans are a funny thing - lots of grey area...
in the right context format.exe can be a trojan...
format.exe does have a legitimate use, of course, and so too may
l0phtcrack... thing is, while most people have a legitimate need for
format.exe, most people do not have a legitimate need for l0phtcrack -
ergo instances of it are, more often than not, undesirable...
Paul Walker
>> Yep; but this is just a password attacker. It's a somewhat dodgy thing for a
>> normal user to have on a network, but it's by no means a trojan - it doesn't
>> pretend to do anything else.
>paul.... what, exactly, does bo2k pretend to do? nothing... that doesn't
BO2K isn't visible to the user of the machine it's on, which makes it
slightly different. However, point taken. :) I need to be slightly more
precise with my words, I think.
dschrader
our detection list. I'm not surprised that they asked other antivirus
vendors to do the same. The likelyhood that NAI stole patterns from
Trend - or that any antivirus vendor borrowed patterns from any other
is extremely low.
Trend has since removed L0phtCrack from our pattern files. However,
some administrators do want to detect end users downloading cracking
tools. Not only do they not want their own networks compromised, they
don't want the liability of finding that some end user was hacking
others on company time from company equipment.
In the future, Trend will be providing ways to have different responses
for different types of programs being detected. Then we can allow
admins to automatically block or delete malicious code while simply
being alerted to downloads of other tools.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
Digit
>BO2K isn't visible to the user of the machine it's on, which makes it
>slightly different.
Just a quick note, BO2K server can be configured so that it does not
hide as a service... you can also change what it is called on the task
list - which is by default "Remote Administration Service"
kurt wismer
> pa...@nospam.demon.co.uk (Paul Walker):
>
> >BO2K isn't visible to the user of the machine it's on, which makes it
> >slightly different.
>
> Just a quick note, BO2K server can be configured so that it does not
> hide as a service...
sure, but implicit in that is the idea that it can be configured so that
it does hide - which is why av products detect it, it can easily be
misused and something has to alert potential victims to it's presence...
Hamster
work.. no news server.
Anyway.
I agree with programs such as keyloggers or other backdoor "hidden"
programs being labled as trojans. However, a program like lophtcrack,
that does not hide, does not self-replicate, does not destroy any data,
does not disguise its existance or intentions, and is recomended as a
tool by microsoft is NOT in the same catagory. Now if the AV makers
want to make a new catagory "HACKING tool" and add Lophtcrack as
hacktool.lophtcrack or something so be it.
However labeling it as a trojan is wrong. It would be much more
appropriate to label MS windows as a virus... it is the single program
that has wiped out the most files of any in the world.
While were at it. AOL disks are somewhat viral. At least babylonia
respects the sanctity of my Cornflakes boxes!!!
In article <Pine.GSO.3.95.991222132424.1412A-100000@eddie>, kurt wismer
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
kurt wismer
> Sorry about the bad formatting here, but I'm stuck using Remarq at
> work.. no news server.
> Anyway.
> I agree with programs such as keyloggers or other backdoor "hidden"
> programs being labled as trojans. However, a program like lophtcrack,
> that does not hide,
it doesn't need to hide itself... if it's illegitimately in use by a user
of a network that user could hide it... then of course there's the fact
that there's a lot of files to go through on a network so an admin can't
be reasonably expected to check for those types of programs by hand...
> does not self-replicate, does not destroy any data,
> does not disguise its existance or intentions, and is recomended as a
> tool by microsoft is NOT in the same catagory. Now if the AV makers
> want to make a new catagory "HACKING tool" and add Lophtcrack as
> hacktool.lophtcrack or something so be it.
a hacking tool would still fall under the more general category of
trojan...
> However labeling it as a trojan is wrong.
that depends on your definition of trojan and how anal you want to be
about that definition...
> It would be much more
> appropriate to label MS windows as a virus... it is the single program
> that has wiped out the most files of any in the world.
viruses must self-replicate on some existing platform... trojans don't
have quite so functional a definition... trojans are, generally, bad or
undesirable programs and in the hands of most people that's exactly what
l0phtcrack is...
some people will claim that a trojan must pretend to be something good,
but most people don't require a lot (or any in some cases) convincing to
believe an arbitrary program is something good, that's why people run
strange email attachments...
microsoft recommends it because they didn't make it so they don't have to
be responsible for it...
> While were at it. AOL disks are somewhat viral. At least babylonia
> respects the sanctity of my Cornflakes boxes!!!
and roaches (as well as babylonia *and* aol) respect the sanctity of my
cheerios... mice are a problem though, especially when their droppings
look very much like overcooked cheerios...
Hamster
users. But I don't consider it a trojan like the other programs because
all trojans I have ever read about are either planted or plant
themselves onto a user's network and perform undesired tasks or
compromise that user's security.
Lophtcrack is a program that runs a series of calculations on a local
set of password hashes. It is not hiden in a user's computer. In fact
unlike a trojan there really is no 'client'.
Lets go back to the people of troy... the tojan horse was the ultimate
trojan.. The people of troy stupidly accepted a gift, and out comes the
badguys and destroy's their security.
Lophtcrack is more equivalent to the greeks trying to pick the lock at
the gate.
Now remember, windows security is pathetic at best. Combined with
stupid users, it is more fatal than any trojan. Lophtcrack allows the
sysadmin to quickly identify stupid users who use their name as a
password etc. For instance, I ran the program on my network and found
that one of the people who's hashes were easily cracked had his name
and a small number thinking he is clever. I am VERY thankfull to
lophtcrack for the ability to detect such weaknesses in my windows
network. Because believe you me, there are many other programs out
there who will take advantage of these weaknesses and explot them.
We can argue about this until we are both blue in the face.. perhaps it
would help if you told me your definition of a trojan? I just don't see
it as a trojan becuse I will never wake up one morning go to the
computer and find lophtcrack secretly running on my computer, unless I
launched it!.
I recomend you download it and give it a try for yourself www.l0pht.com
BTW stay away from those overcooked cheerios :)
In article <Pine.GSO.3.95.991224091348.1372E-100000@eddie>, kurt wismer
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
kurt wismer
> I understand that lophtcrack may not be desirable in the hands of many
> users. But I don't consider it a trojan like the other programs because
> all trojans I have ever read about are either planted or plant
> themselves onto a user's network and perform undesired tasks or
> compromise that user's security.
then you have limited exposure to trojans... that doesn't make l0phtcrack
not a trojan, though...
> Lophtcrack is a program that runs a series of calculations on a local
> set of password hashes. It is not hiden in a user's computer. In fact
> unlike a trojan there really is no 'client'.
unlike a trojan? you're obviously confusing a specific subset of trojans
(remote access trojans) with the entire set... most trojans have no
'client'....
> Lets go back to the people of troy... the tojan horse was the ultimate
> trojan..
it would be better to say it was the definitive trojan...
> The people of troy stupidly accepted a gift, and out comes the
> badguys and destroy's their security.
>
> Lophtcrack is more equivalent to the greeks trying to pick the lock at
> the gate.
not quite... it's equivalent to the greek infiltrator trying to get into
the war chest after already having fooled the people of troy into thinking
s/he should be within the city walls... (users shouldn't be trying to
crack their own network...)
which, quite frankly is not far removed from soldiers jumping out of a
wooden horse after fooling the people of troy into thinking it should be
within the city walls...
> Now remember, windows security is pathetic at best. Combined with
> stupid users, it is more fatal than any trojan. Lophtcrack allows the
> sysadmin to quickly identify stupid users who use their name as a
> password etc. For instance, I ran the program on my network and found
> that one of the people who's hashes were easily cracked had his name
> and a small number thinking he is clever. I am VERY thankfull to
> lophtcrack for the ability to detect such weaknesses in my windows
> network. Because believe you me, there are many other programs out
> there who will take advantage of these weaknesses and explot them.
fine and dandy, but you're the exception, not the rule... in the hands of
one of your users this same program could be used to help identify easy
marks for cracking passwords...
the trivial example is format... format as you know has a very legitimate
use - rename it to sexypic.exe and tell people they have to run it with
the parameters /u c: to see the naked lady pictures and you've got a
trojan...
l0phtcrack does have a legitimate use, i never said it didn't... but under
the majority of contexts where it can be found it is a trojan...
> We can argue about this until we are both blue in the face.. perhaps it
> would help if you told me your definition of a trojan? I just don't see
> it as a trojan becuse I will never wake up one morning go to the
> computer and find lophtcrack secretly running on my computer, unless I
> launched it!.
that is true of most trojans...
a trojan is, generally, a bad or undesirable program... there is no
functional definition of trojan like there is for viruses - it has always
been a judgement call sort of thing... under the strictest definition a
trojan must also pretend (at least) to be something good, but in todays
world existing is approximately equivalent to pretending to be something
good...
> I recomend you download it and give it a try for yourself www.l0pht.com
no thanks... i don't have a network to test it on anyways...
> BTW stay away from those overcooked cheerios :)
they're not always the easiest thing in the world to find...
Juergen Nieveler
Hash: SHA1
kurt wismer <g9k...@cdf.toronto.edu> schrieb in im Newsbeitrag:
Pine.GSO.3.95.991224161901.16066B-100000@eddie...
<SNIP>
Let愀 cut this discussion short, shall we?
L0phtcrack is something Admins don愒 want on their network, at least
not in the wrong (i.e. non-Admin-Hands).
If virus-scanners detect it, then the Admins get notified, just like
with BO, Netbus, etc.
If the Admins want to use L0pht, they use one of their own PC愀 for
it, and are smart enough to ignore the warnings or disable the
scanner. At the same time, they make sure that the Users can愒 do
this.
End of it: Safe PC愀, safe net, happy Admins, and nobody cares if you
call L0pht an Admin Tool or a trojan.
- --
Juergen Nieveler
Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
"The people united can never be ignited!"
Sgt. Colon, Ankh-Morpork City Watch (Night Shift)
PGP-Key available under
www.netcologne.de/~nc-nievelju/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
Comment: Please use Encryption!
iQA/AwUBOGZlPVBuJhweubPnEQIWOACg1pBPk12t6x4j2LhqcSr0kaxkt1cAoJkP
VKBuER0mG2ln6Q1tyqCsUc3j
=VPzN
-----END PGP SIGNATURE-----
Hamster
tangent also. As I said I understand that admins would not want their
users to have this program on their networks.
The problem is, that by labeling this program as a trojan they are
smearing the good name of a commercial product. Very similar to the way
the elfbowl hoax has, brought negative attention to nstorm.
I would not object to a different labeling. Or even a security hazzard
labeling. I understand that Kurt thinks its a trojan, but really I
doubt anyone who has actually downloaded it would agree that the
program is quite as nasty as some people in the newsgroups or the media
for that matter have made it. People like to take programs like
l0phtcrack and blame them for their own pathetic enforcement of
security procedures, and their operating system provider (usually
Microsoft)'s utter disregard for the security of their user's operating
environment.
KURT: You are definitely right that there are many trojans that are not
access clients, but the "victim" of those trojans generally triggers
them, or lets them in the gates unaware of their use. The user
downloading l0pht applications knows full well what he or she does. So
the issue becomes not one of a trojan, or an enemy infiltrator, but
rather of an internal security issue.
While there may be no one definition for a trojan, there must be some
factors that all trojans have in common.
Has anyone installed the microsoft media player recently? Notice how it
resets all of your registry settings for all media formats to itself!!
I wish they would alert me to that kind of activity!!!
:)
Happy Holidays and safe Y2k everyone. :)
In article <845ule$22s$1...@news.netcologne.de>, "Juergen Nieveler"
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
bungarian
if one does not have access to the network at all, to wit: no user i.d.
and/or password, is there a way to use LOphtCrack, say from DOS or startup
to gain access to the network and then begin p/w hashes?
thanx 4 any help!!
Hamster
passwords on his network, they will also probably not have bios
passwords set up and booting to floppy disabled.
Any user with physical access to a machine can thusly grab the windows
NT password file, and crack it at home in their privacy of their own
livingroom. This will likely yield only a few users' passwords and a
local machine admin password, but many admins are silly and make the
network admin password the same as the local machine. Another no-no.
To protect yourself, make all your users use strong password
protection. Make sure they are by running a tool like lophtcrack before
some hacker does, and disable booting to floppy.
This will greatly reduce the chance of someone getting you passwords.
Hope this helps
-Andreas
kurt wismer
[snip]
> KURT: You are definitely right that there are many trojans that are not
> access clients, but the "victim" of those trojans generally triggers
> them, or lets them in the gates unaware of their use. The user
> downloading l0pht applications knows full well what he or she does. So
> the issue becomes not one of a trojan, or an enemy infiltrator, but
> rather of an internal security issue.
most trojans do get let in the gates with the user unaware of their
nefarious purpose, however, in such circumstances those users are the
administrators of those systems (a home computer user/owner is the
administrator of that system)... it is undesirable because the
administrator says that s/he doesn't want some program nuking his/her
files...
in a network there are lots of users, but it's still the administrator who
says what should and should not be on the system and the fact that the
*user* knew what s/he was doing is irrelevant...
> While there may be no one definition for a trojan, there must be some
> factors that all trojans have in common.
there is, i've said it three times already... they do undesirable
things... that's what they have in common...
> Has anyone installed the microsoft media player recently? Notice how it
> resets all of your registry settings for all media formats to itself!!
> I wish they would alert me to that kind of activity!!!
> :)
yes, well that's undesirable certainly and microsoft is on the ropes for
those kinds of practices... it could indeed be considered a trojan,
however most people will tolerate it simply because they want the
functionality the program offers...
Hamster
target. Certainly the format c: command is one that is not to be used
by a user on a network, but this is not a trojan. One can't just define
trojans as being things that do "undesireable" things. Again, the
biggest virus/trojan/security threat to your network is Windows NT.
I would be happy if they re-classified l0pht as a hacking tool or
something.
In article <Pine.GSO.3.95.1000101125851.18824A-100000@eddie>, kurt
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
kurt wismer
> Its hard to argue with a person when they present a constantly moving
> target. Certainly the format c: command is one that is not to be used
> by a user on a network, but this is not a trojan.
this just demonstrates your lack of understanding of what makes a
trojan... under the right circumstances format c: *is* a trojan...
> One can't just define
> trojans as being things that do "undesireable" things.
that is how they're defined... there is no definition that describes their
function, or some class of function or behaviour, they are defined by
expectations and circumstances - and no matter how much you say "it
shouldn't be so" it won't change the fact that it is...
and since this is what i've been saying since the beginning, i haven't
been presenting a constantly moving target...