pcwebspy
8 views
Skip to first unread message
fred
Oct 13, 2008, 10:01:38 PM10/13/08
to digital-...@googlegroups.com
PCWebSpy is a mini webserver that runs from the command line of your
computer. The web server will return basic system information,
username, userdomain and a screenshot everytime the browser is
refreshed. This software also support Linux, Mac OSX and Windows as
it's developed in Mono.
http://www.hackerforums.org/index.php/topic,55.0.html
This one will be interesting to see how long it stays under the anti-virus radar. And will re-compiling fix that?
http://www.hackerforums.org/index.php/topic,55.0.html
This one will be interesting to see how long it stays under the anti-virus radar. And will re-compiling fix that?
Justin Flowers
Oct 13, 2008, 10:32:14 PM10/13/08
to digital-...@googlegroups.com
I think the "Race to Zero" at Defcon proved signature based AV is ineffectual. The question is how good is the behavioral detection these days?
Duff
Nov 9, 2008, 8:08:25 AM11/9/08
to Digital Paranoia
If you want to read a scary document about antivirus, check out the
document "The Death of Defense in Depth.pdf". It's up on the Google
Groups "Files" section. Basically talks about how AV actually makes
you LESS secure since it provides another attack vector and then lists
some rootable vulns that have been discovered in common AV software.
Good times!
--Ian
document "The Death of Defense in Depth.pdf". It's up on the Google
Groups "Files" section. Basically talks about how AV actually makes
you LESS secure since it provides another attack vector and then lists
some rootable vulns that have been discovered in common AV software.
Good times!
--Ian
Nick Jensen
Nov 9, 2008, 3:48:39 PM11/9/08
to digital-...@googlegroups.com
Why should this be an antivirus issue? What attack vector are you imagining?--
(\) | ( |<
--.- - ..-. .. -- .. -.-
http://jensen-nick.blogspot.com/
(\) | ( |<
--.- - ..-. .. -- .. -.-
http://jensen-nick.blogspot.com/
Ian Duffy
Nov 9, 2008, 8:14:43 PM11/9/08
to digital-...@googlegroups.com
The article mentions virus scanners that, for example, know how to scan inside zip file or how to scan OLE embedded objects within MS Office documents. The parsing engines inside these virus scanners, according to the document, are susceptible to the same bounds checking and malformed file parsing issues that any other application (i.e. WMF file parsing, ANI file parsing, etc) are susceptible to. Thus you can (theoretically) "root" a virus scanner and use it to gain access to a system just by getting it to scan your malformed file. The document authors claim to have done this and also to have had mixed responses from the AV vendors when they try to notify them of the vulnerability in their product.
The reason I brought up AV detection was because Justin mentioned the "race to zero" and how bad AV is at detecting things that have been obfuscated. I was taking obfuscation to the next level -- weaponization. The doc is an interesting read.
--Ian
The reason I brought up AV detection was because Justin mentioned the "race to zero" and how bad AV is at detecting things that have been obfuscated. I was taking obfuscation to the next level -- weaponization. The doc is an interesting read.
--Ian
Nick Jensen
Nov 10, 2008, 6:30:17 AM11/10/08
to Ian Duffy, Digital Paranoia
Agree that yours was AV related... I was replying to Fred's original. He mentioned that wondered how long would it be before the AV vendors caught on... and I was thinking "catch on to what?". PCWebSpy is an app, meant to do what it does. It's not a virus/worm that the AV vendors are going to scramble a fix for. Possible mitigations for this in an enterprise environment are: firewall, policy against unapproved apps... It just doesn't seem like a huge threat to me and I was wondering if I missed something.
fred
Nov 10, 2008, 7:35:56 AM11/10/08
to digital-...@googlegroups.com, Ian Duffy
AV will develop signatures for pcwebspy just like they did for BO,
netbus and every other backdoor that receives enough attention to get
on their radar. 1) This would be a useful app to have during a pentest
and the fact that it runs a web server might help in getting it
through the firewall (if the firewall allows http). Policy against
unaproved apps? When has that stopped anyone? After rooting a system
it might be useful to use this program to gather more information, the
fact it does screen shots helps with documentation and going over port
80 should make it possible to get through. It's possible you might
guess the frontpage upload password and drop this in a folder that
gets run. Or a sql injection to grab pcwebspy and run that ... If
there are av signatures for it then it would need to be modified to
avoid av. While that is doable I don't know how easy it would be or
how much testing would be required. Really wouldn't you need to run
it across all the possible av vendors to be sure you didn't miss
anything? You'd probably only get one chance.
netbus and every other backdoor that receives enough attention to get
on their radar. 1) This would be a useful app to have during a pentest
and the fact that it runs a web server might help in getting it
through the firewall (if the firewall allows http). Policy against
unaproved apps? When has that stopped anyone? After rooting a system
it might be useful to use this program to gather more information, the
fact it does screen shots helps with documentation and going over port
80 should make it possible to get through. It's possible you might
guess the frontpage upload password and drop this in a folder that
gets run. Or a sql injection to grab pcwebspy and run that ... If
there are av signatures for it then it would need to be modified to
avoid av. While that is doable I don't know how easy it would be or
how much testing would be required. Really wouldn't you need to run
it across all the possible av vendors to be sure you didn't miss
anything? You'd probably only get one chance.
Reply all
Reply to author
Forward
0 new messages