private-sector keystroke logger...
Eric Murray
ericm at lne.com
Tue Nov 27 16:20:40 EST 2001
On Tue, Nov 27, 2001 at 12:55:11PM -0800, Jay D. Dyson wrote:
> On 27 Nov 2001, Derek Atkins wrote:
>
> > Hrm, how about a worm with a built-in HTTP server that installs itself
> > on some non-standard port, say TCP/28462 (to pick one at random)?
>
> Craftier still, backdoor an existing service that behaves normally
> until it receives a few specially-crafted packets, then it opens a high
> port for direct login or data retrieval.
Many PC users have outgoing firewalls that prevent and/or raise an
alarm when their machine tries to make an outbound connection
on a "unapproved" port. Zonealarm is one of thses.
The attack S/W could simply modify the firewall's config files.
Or, since outbound traffic to port 80 is almost always left open,
encrypt the key logging data in the attackers key and
then use dejanews to post it to alt.anonymous.messages.
A lot of 'root kits' and similar programs that set up slaves for
DDOS attacks announce their availability on IRC.
Emailing to a fixed address indicates to me that the attackers aren't
serious about actually receiving the key logging data.
Eric
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list