Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Cwings was here?

Reply
Thread Tools

Cwings was here?

 
 
jaygreg
Guest
Posts: n/a
 
      07-03-2006
Reading online newsclipping this morning, I clicked on a business article
Google News clipped for me and found nothing but the subject entry at the
top. Since I'm still recovering from virus attack to my main machine, I'm
parinoid. Can anyone tell me what this is? Do I have anything to worry
about? My Symantic SystemWorks suit of programs is running full force and
gave me no signal.


 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-03-2006
jaygreg wrote:
> Reading online newsclipping this morning, I clicked on a business
> article Google News clipped for me and found nothing but the subject
> entry at the top.


Web errors are spooky!

> Since I'm still recovering from virus attack to my main machine, I'm
> parinoid.


Huh? A properly flattened and rebuilt system shouldn't exhibit such
behaviour.

> My Symantic SystemWorks suit of programs is running full force and
> gave me no signal.


Why should it do so?
 
Reply With Quote
 
 
 
 
jaygreg
Guest
Posts: n/a
 
      07-03-2006
Response too criptic. What is the implication of a message that reads
"Cwings was here?"


"Sebastian Gottschalk" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> jaygreg wrote:
> > Reading online newsclipping this morning, I clicked on a business
> > article Google News clipped for me and found nothing but the subject
> > entry at the top.

>
> Web errors are spooky!
>
> > Since I'm still recovering from virus attack to my main machine, I'm
> > parinoid.

>
> Huh? A properly flattened and rebuilt system shouldn't exhibit such
> behaviour.
>
> > My Symantic SystemWorks suit of programs is running full force and
> > gave me no signal.

>
> Why should it do so?



 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-03-2006
jaygreg wrote:
> Response too criptic. What is the implication of a message that reads
> "Cwings was here?"


That either some malicious guy or an incompetent administrator ****ed up
something.

Maybe it's also Symantec SystemWorks randomly ****ing up everything,
just as it's supposed to do.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-03-2006
"jaygreg" <(E-Mail Removed)> writes:

> Response too criptic. What is the implication of a message that reads
> "Cwings was here?"


Well I gotta say that your original post wasn't really a hallmark of
clarity. #include <glasshouses.h> and all.

But on a more helpful note, I think what Sebastian was emphasizing is
that the only proper way to recover from a malware infection is to
reformat the drive and reinstall from original media. Doing anything
less leaves the door open to your still being owned.

"Cwings was here," depending on where you saw it may indicate a
website was defaced. It could mean you're still owned. It's hard to
tell with what you've described which. If it was a specific site you
visited, if you post the URL perhaps others can help you distinguish
as to whether the message you saw was indicative of a web site being
defaced, or your own machine still having malware on it.


If you're worried about your machine, do the right thing and reformat
your drive, and reinstall your OS and apps from original media, apply
all security updates from behind a very tightly configured hardware
firewall, and go from there.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-03-2006
Todd H. wrote:

> If you're worried about your machine, do the right thing and reformat
> your drive, and reinstall your OS and apps from original media, apply
> all security updates from behind a very tightly configured hardware
> firewall, and go from there.


Nitpick: With the pretty unjustified assumption that you carefully
utilized least privilege users, the damage is limited to the user's
account and all his files.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-03-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:

> Todd H. wrote:
>
> > If you're worried about your machine, do the right thing and reformat
> > your drive, and reinstall your OS and apps from original media, apply
> > all security updates from behind a very tightly configured hardware
> > firewall, and go from there.

>
> Nitpick: With the pretty unjustified assumption that you carefully
> utilized least privilege users, the damage is limited to the user's
> account and all his files.


Yeah, pretty unjustified assumption indeed. Especially give the
original poster's headers:
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409

On that OS, an attacker owns a user and then can typically DLL inject
their way to Admin without much added effort.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-03-2006
Todd H. wrote:
> Sebastian Gottschalk <(E-Mail Removed)> writes:
>
>> Todd H. wrote:
>>
>>> If you're worried about your machine, do the right thing and reformat
>>> your drive, and reinstall your OS and apps from original media, apply
>>> all security updates from behind a very tightly configured hardware
>>> firewall, and go from there.

>> Nitpick: With the pretty unjustified assumption that you carefully
>> utilized least privilege users, the damage is limited to the user's
>> account and all his files.

>
> Yeah, pretty unjustified assumption indeed. Especially give the
> original poster's headers:
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>
> On that OS, an attacker owns a user and then can typically DLL inject
> their way to Admin without much added effort.


DLL inject? Pretty unlikely, as it requires admin rights in first place
- did you mean DLL redirection? More likely he will misuse wrong ACLs on
system services, or generally send arbitrary keystrokes whenever a CMD
shell with admin rights is invoked.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      07-04-2006
Sebastian Gottschalk <(E-Mail Removed)> writes:
> Todd H. wrote:
> > Sebastian Gottschalk <(E-Mail Removed)> writes:
> >
> >> Todd H. wrote:
> >>
> >>> If you're worried about your machine, do the right thing and reformat
> >>> your drive, and reinstall your OS and apps from original media, apply
> >>> all security updates from behind a very tightly configured hardware
> >>> firewall, and go from there.
> >> Nitpick: With the pretty unjustified assumption that you carefully
> >> utilized least privilege users, the damage is limited to the user's
> >> account and all his files.

> >
> > Yeah, pretty unjustified assumption indeed. Especially give the
> > original poster's headers:
> > X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> >
> > On that OS, an attacker owns a user and then can typically DLL inject
> > their way to Admin without much added effort.

>
> DLL inject? Pretty unlikely, as it requires admin rights in first place
> - did you mean DLL redirection? More likely he will misuse wrong ACLs on
> system services, or generally send arbitrary keystrokes whenever a CMD
> shell with admin rights is invoked.


pwdump2 uses dll injection according to the authors of the program in
the readme. Wanna call it redirection instead, go nuts. The attack
piggybacks off the lsass process, yes. It does not require the user
who attacks this way to have admin rights. The bad guys get the
password hashes, they crack the password hashes quickly with rainbow
tables and voila, administrator accesss.

I left at word misspelled for ya if you'd like to point that out in
your next followup.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      07-04-2006
Todd H. wrote:

>> DLL inject? Pretty unlikely, as it requires admin rights in first
>> place - did you mean DLL redirection? More likely he will misuse
>> wrong ACLs on system services, or generally send arbitrary
>> keystrokes whenever a CMD shell with admin rights is invoked.

>
> pwdump2 uses dll injection according to the authors of the program in
> the readme.


pwdump2 doesn't work as non-admin.

> Wanna call it redirection instead,


Would you please utilize Google if the terminology isn't clear to you?

> The attack piggybacks off the lsass process, yes. It does not
> require the user who attacks this way to have admin rights.


It does, it does.

> The bad guys get the password hashes, they crack the password hashes
> quickly with rainbow tables


Too bad that rainbow tables don't work against NTLM hashes. And if
you've got an LM hash, you're ****ed off anyway.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments