Anonymous hackers - how dey do dat?

Discussion in 'Computer Security' started by RayLopez99, Dec 10, 2010.

  1. RayLopez99

    Dustin Guest

    Weapons are hot, we are withen range. Awaiting orders.


    --
    Hackers are generally only very weakly motivated by conventional rewards
    such as social approval or money. They tend to be attracted by
    challenges and excited by interesting toys, and to judge the interest of
    work or other activities in terms of the challenges offered and the toys
    they get to play with.
     
    Dustin, Dec 13, 2010
    #41
    1. Advertisements

  2. RayLopez99

    RayLopez99 Guest

    So if a remote vector gets "high privilege", it would presumably burn
    a lot of CPU cycles, and maybe overwhelm the machine or lock it up?
    Is that the idea? Aside from the Denial Of Service argument, I'm not
    sure what "getting processing power with high privilege (as opposed to
    the limited privilege usually gained in a 'userland' environment)."
    means

    RL
     
    RayLopez99, Dec 13, 2010
    #42
    1. Advertisements

  3. RayLopez99

    RayLopez99 Guest

    That was not the forum originally posted in. These are sites that
    archive Usenet. Do you have the original forum?

    RL
     
    RayLopez99, Dec 13, 2010
    #43
  4. RayLopez99

    RayLopez99 Guest

    Talking to yourself again? How many handles do you have, nymshifter?

    RL
     
    RayLopez99, Dec 13, 2010
    #44
  5. It could deeply entrench itself into the OS. Not just by being able to
    place an invocation to itself in a registry run or runonce, but by
    registering itself as a driver or even modifying the bootstrap code. In
    'userland' it wouldn't even be able to write to certain areas of the
    registry or filesystem.

    Admin processing power has greater scope than userland processing power
    does.
    Denial of service goes beyond just the simplest form of crashing the
    machine or application. Beyond just denying you the use of processing
    power, it can use it for itself - remote code execution exploits *start*
    with a DoS. Most modern malware wants to *install* itself on the machine
    so that it can always run when you boot up the machine. Userland
    privileges are supposed to be insufficient to accommodate this task,
    while administrative privileges are supposed to be able to do this.

    When a user executes a (malware) program, the program assumes the same
    privileges as the user enjoys. If it can *install* from userland, it
    would have to be exploiting some flaw to enable it to escalate to admin,
    and if it downloaded and executed automatically, it would have to
    exploit a 'remote code execution' exploit (or a remote code execution
    w/privilege escalation exploit). Neither of which are mentioned in the
    referenced article (or any others that I have read).
     
    FromTheRafters, Dec 13, 2010
    #45
  6. RayLopez99

    Dustin Guest

    No. Essentially, acquiring high priviledge is the same as run as user
    administrator; when your using a LUA (limited user access) account.

    Some malware can exploit various security configuration errors sometimes
    performed by users during windows installation. Other malware will seek
    out a vulnerability withen the OS to do the same thing. Obtain
    administrator (or system level; whichever is better for the malware)
    rights hopefully without your knowledge.

    It won't necessarily burn alot of cpu cycles, either.


    --
    Hackers are generally only very weakly motivated by conventional rewards
    such as social approval or money. They tend to be attracted by
    challenges and excited by interesting toys, and to judge the interest of
    work or other activities in terms of the challenges offered and the toys
    they get to play with.
     
    Dustin, Dec 14, 2010
    #46
  7. From: "Dustin" <>


    | No. Essentially, acquiring high priviledge is the same as run as user
    | administrator; when your using a LUA (limited user access) account.

    | Some malware can exploit various security configuration errors sometimes
    | performed by users during windows installation. Other malware will seek
    | out a vulnerability withen the OS to do the same thing. Obtain
    | administrator (or system level; whichever is better for the malware)
    | rights hopefully without your knowledge.

    | It won't necessarily burn alot of cpu cycles, either.


    "Buffer overflow exploitation with an elevation of priveledges".
     
    David H. Lipman, Dec 14, 2010
    #47
  8. RayLopez99

    RayLopez99 Guest

    On Dec 14, 2:30 am, "David H. Lipman" <DLipman~>
    wrote:
    .
    Thanks but I thought Buffer Overflow is essentially a variant of a SQL
    Injection attack, that is, it requires a database. But perhaps all
    OSes run databases in the background? (Maybe even the log in has a
    database, and IIS for Windows is constantly running somewhere and/or
    can be activated)? Anyway, in my mind "buffer overflow" is a database
    exploit.

    RL
     
    RayLopez99, Dec 15, 2010
    #48
  9. From: "RayLopez99" <>

    | On Dec 14, 2:30 am, "David H. Lipman" <DLipman~>
    | wrote:
    | .


    | Thanks but I thought Buffer Overflow is essentially a variant of a SQL
    | Injection attack, that is, it requires a database. But perhaps all
    | OSes run databases in the background? (Maybe even the log in has a
    | database, and IIS for Windows is constantly running somewhere and/or
    | can be activated)? Anyway, in my mind "buffer overflow" is a database
    | exploit.

    No. It has nothing to do w/databases. It has to do with the exploitation/vulnerability
    factor of software in general and taking advantage of the Buffer overflow condition.

    Examples:
    The Lovsan/Blaster used a "Buffer overflow exploitation with an elevation of priveledges"
    in TCP port 135 against RPC/RPCSS

    Attackments use "Buffer overflow exploitation with an elevation of priveledges" in
    malicious PDFs and thus Adobe Reader/Acrobat.
     
    David H. Lipman, Dec 15, 2010
    #49
  10. RayLopez99

    unruh Guest

    That may be. However in most people's minds it is not. Buffer overflow
    is a technique of attacking the stack and replacing the return address
    of a subroutine with your own address-- usually done by inject a far far
    longer input than an input buffer is capable of handling-- if the buffer
    is on the stack ( usual place) that will overwrite the stack, which also
    includes the subrouting ( input handling) return address. You point it
    instead at part of that huge input which contains your own program.

    This works because most people simply copy the input to the buffer not
    checking how long it is.
     
    unruh, Dec 15, 2010
    #50
  11. RayLopez99

    RayLopez99 Guest

    Well that's more a problem with the compiler than the programmer. I
    would think (in my mind) that if you overwrite any stack your program
    will crash due to misallocation of memory. Why not then? Think about
    walking off the end of an array. Why would overrunning your buffer
    (memory) also not crash your program?

    RL
     
    RayLopez99, Dec 15, 2010
    #51
  12. RayLopez99

    Bilbo Warble Guest

    It's not a problem with the compiler, more programmers using incorrect
    functions for the sake of expediency.

    Overrunning a buffer can VERY easily crash a program which is why many
    buffer overflow exploits include a NOP sled.

    Bilbo
     
    Bilbo Warble, Dec 15, 2010
    #52
  13. You might want to investigate heap spray techniques as well. Sometimes,
    the attacked vulnerable program does indeed fall over, but the attacker
    has enough control to corrupt the heap (in multiple places, and with NOP
    sleds) so that another program *might* run the code that was sprayed there.
     
    FromTheRafters, Dec 15, 2010
    #53
  14. RayLopez99

    Dustin Guest

    buffer overflow can be a code or database exploit. Damn, just check
    microsofts december patch list for several. Some of the information is
    pretty detailed; but I think if you quit with the high horse nonsense you
    can pick it up. and, if you don't understand something; You'll have a
    better chance of getting a useful answer.


    --
    Hackers are generally only very weakly motivated by conventional rewards
    such as social approval or money. They tend to be attracted by
    challenges and excited by interesting toys, and to judge the interest of
    work or other activities in terms of the challenges offered and the toys
    they get to play with.
     
    Dustin, Dec 15, 2010
    #54
  15. RayLopez99

    Dustin Guest

    no! That's a lazy (imo) programmer; you can't blame the compiler if you
    took shortcuts and didn't write code checks and a decent error handler.


    --
    Hackers are generally only very weakly motivated by conventional rewards
    such as social approval or money. They tend to be attracted by
    challenges and excited by interesting toys, and to judge the interest of
    work or other activities in terms of the challenges offered and the toys
    they get to play with.
     
    Dustin, Dec 15, 2010
    #55
  16. RayLopez99

    RayLopez99 Guest

    Well perhaps you are correct, as by definition a run-time error like
    overrunning a buffer will not be caught by the compiler. But of
    interest is the claim in this thread that even though a program
    infected (or attacked) will crash, the vector (virus) program will
    continue in memory--that was news to me. Further explanation is
    requested--don't see how that can be possible--I would think Windows
    would have a protected memory space and if a program crashes
    everything in that space is zeroed out, but I guess such sandboxing is
    not done by Windows.

    RL
     
    RayLopez99, Dec 15, 2010
    #56
  17. RayLopez99

    RayLopez99 Guest

    Why doesn't Windows have a sort of sandbox, so if a program crashes,
    everything in that memory space is erased (zeroed)? That would make
    sense. Don't see why NOP (no operation?) should work in a crashed
    program.

    RL
     
    RayLopez99, Dec 15, 2010
    #57
  18. RayLopez99

    RayLopez99 Guest

    Good point, but I use C# and there's no such "unsafe" strcpy (which I
    remember from C days). A lot of unsafe stuff is caught (seems to me)
    at the compile stage, though you still get runtime errors of course.

    RL
     
    RayLopez99, Dec 15, 2010
    #58
  19. RayLopez99

    RayLopez99 Guest

    Why don't you please explain it then, instead of just saying "it's
    pretty detailed"? Most of Microsoft's patch list and breaking code
    list stuff to me sounds pretty cryptic, then again I don't belong to
    their MSDN subscriber package, which costs a couple of thousand a
    year, so maybe I don't get the detailed explanation.

    RL
     
    RayLopez99, Dec 15, 2010
    #59
  20. From: "RayLopez99" <>



    | Well perhaps you are correct, as by definition a run-time error like
    | overrunning a buffer will not be caught by the compiler. But of
    | interest is the claim in this thread that even though a program
    | infected (or attacked) will crash, the vector (virus) program will
    | continue in memory--that was news to me. Further explanation is
    | requested--don't see how that can be possible--I would think Windows
    | would have a protected memory space and if a program crashes
    | everything in that space is zeroed out, but I guess such sandboxing is
    | not done by Windows.

    Exploitation is not done by trojans or viruses, per se, except is the form of Internet
    worms such as the Lovsan/Blaster and Sasser (some don't even consider worms to be true
    viruses).

    It could be in the form of; a PDF, a graphics file associated with GDI, a MS Office
    document, how QuickTime processes Real Time Streaming Protocol (RTSP), yada, yada....

    It is the successful exploitation of the buffer overflow condition that causes the
    subsequent infection and that can occur even if the end-user is using a Limited User
    Account (LUA).
     
    David H. Lipman, Dec 15, 2010
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.