[svlug] worms -n stuffy - vague

Dagmar d'Surreal dagmar at dsurreal.org
Tue Jun 5 11:02:01 PDT 2001

On Tue, 5 Jun 2001, Rafael wrote:

(much snipppage)
> No need to put that on business card but they do have their web site:
> http://www.chkrootkit.org

Now this is actually somewhat useful information.  It looks like they
covered the basic pitfalls for using the software fairly concisely as

> ................
> > 
> > There's also the small matter of if it was a worm, then the filename
> > "maniac" could be significant in naming it.  If it was a script kiddie,
> > then it's likely a rootkit that they got from someone who goes by that
> > name.  In any case, the other filenames you listed were rather common
> > fare.  In none of these contexts are the phrases 'worm', 'hacker/cracker',
> > 'trojan' interchangeable with each other.
> > 
> > Computer Forensics is a science, and for this reason isn't typically part
> > of the literary arts programs--being vague isn't useful.
> Come on, Computer Forensics is not a science. It's just plain logic with
> some math shuffling bits and examining bytes. You can add social and
> behavioral aspects to forensics but that still doesn't amount to
> "science".
> Computer Forensics Engineering would be a better term IMO.

It's a science, from Webster's...

1 : the state of knowing : knowledge as distinguished from ignorance or

2 a : a department of systematized knowledge as an object of study <the
science of theology> b : something (as a sport or technique) that may be
studied or learned like systematized knowledge <have it down to a science>

3 a : knowledge or a system of knowledge covering general truths or the
operation of general laws especially as obtained and tested through
scientific method b : such knowledge or such a system of knowledge
concerned with the physical world and its phenomena : NATURAL SCIENCE

4 : a system or method reconciling practical ends with scientific laws
<culinary science>

The use of techniques that fall under 2 and 3 go a long way towards not
having a judge toss you and your evidence out of court.  ;)

> > 
> > In either case, you should be ashamed that you had binaries that stale
> That's a bit of a strong statement. As bad as it sounds not everybody has
> time to go replace all the code on time. They eventualy need to do it due
> to security problems but that's then.

Look at it rationally.  Once an exploit is known in the public, it
generally only tends to take the script kiddies about a month (at _most_)
to build up a head of steam to the point where even randomly chosen
netblocks will start seeing scans for the vulnerability happen on a weekly
or bi-weekly basis.  I am *still* seeing scans for both wu and bind
exploits twice a week, even though they're both many moons old.  It's a
matter of upgrading/patching vulnerable systems in a timely manner, and if
you let vulnerable systems go unmaintained for three months or more you
can almost expect script kiddies to be logged in ahead of you when you get
there.  :/

> > lying around exposed.  This is the internet, and while I am quite sure
> > people would like to take the attitude that it's only their system that
> > gets compromised, their system is quite often used to do harm to others,
> Agree here but the final responsibility still goes to the perpetrator.
> Just because you have door to the backyard it doesn't mean anybody can
> walk in there and do whatever they want. One of the problems is "the
> society itself" due to it's poor law enforcement or lack of interest for
> it, being that domestic or international.

And if you live in a rough neighborhood you shouldn't act shocked if you
get mugged for walking around alone in the middle of the night.  Take a
look at ArachNIDS sometime.  The Internet is a rough neighborhood, and the
segments that are known to be full of inexperienced administrators with
high-speed connections (like cablemodems, DSL, and Korea *chuckle*) get
dowright vicious at times.
In the past ten days (to pick a nice arbitrary segment of time) even my
little dinky block of 8 IPs has seen five scans for various Windows
backdoors, nine scans for *portmapper* vulnerabilities, seven scans for
exploitable name servers, two scans for vulnerable lprs and a scan for
linuxconf, and that's just the ones that are done so poorly that snort
picks 'em up.

Ten days, and if I'd had something on the segment that I hadn't updated in
six months or more it could have been owned several times over.

> > so it's more like leaving weapons of mass-destruction poorly secured in
> > the back-yard, i.e., not a very responsible thing to do.
> None of anybody's business what's in my backyard as long as it doesn't
> radiate or smell across the fence.

...and script kiddies even care whose backyard it is?  It's time to take
your head out of the sand, Raf.

More information about the svlug mailing list