Norton Firewalls - Keylogger Exploit/Trigger

These are old archives. They are kept for historic purposes only.
nate
Posts: 148
Joined: Fri Jul 29, 2005 10:12 am
Location: Johnstown, Pa
Contact:

Norton Firewalls - Keylogger Exploit/Trigger

Post by nate » Fri Mar 03, 2006 2:14 am

Meh, had a few problems on my network with people playing with this shit and causing people to purposely ping out.

Basically (I'm sure most people have heard already) if anyone uses the terms 'startkeylogger' or 'stopkeylogger' it will cause anyone using a Symantic Norton based product with the Firewall (Norton Personal Firewall/Norton Internet Securities/etc) to disconnect temporarily from all IRC, and at times actually completely lock up IRC causing them to not be able to connect at all to any generalized IRC ports.

Easy way to block this is:

Code: Select all

spamfilter {
	regex "startkeylogger";
	target { private; channel; quit; };
	reason "Trying to trigger a Norton firewall to block IRC";
	action block;
};

spamfilter {
	regex "stopkeylogger";
	target { private; channel; quit; };
	reason "Trying to trigger a Norton firewall to block IRC";
	action block;
};
I decided to do a block rather than a kill (No need to be overbrutal), but it can be a nuisence in bigger channels if a lot of people use Norton and just type those phrases to purposely to ping people.

SpaceDoG
Posts: 301
Joined: Mon Feb 27, 2006 5:44 am
Contact:

Post by SpaceDoG » Fri Mar 03, 2006 9:13 pm

How do you reload the spam filter?

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Fri Mar 03, 2006 9:59 pm

/rehash
Why the hell can't my signature be empty?
"Your message contains too few characters."

Guest

Post by Guest » Sun Mar 05, 2006 1:49 pm

Code: Select all

spamfilter {
   regex "(start|stop)keylogger";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
};
For a more simpler version.

Also, I recommend using all the targets possible. (I'm not typing them in because its 547am and my bed is calling) We've had reports of people being booted for joining a channel and then getting a list of bans., which happened to have "startkeylogger" in it.

Also, I've heard of "stopspy" being used from the irc-security mailing list, so heres a spamfilter for that

Code: Select all

spamfilter {
   regex "stopspy";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
}; 
Combining both this and the above we get:

Code: Select all

spamfilter {
   regex "((start|stop)keylogger|stopspy)";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
}; 
I'm not sure if this one works though. I know the first two do. We use action kill; Sends a nice message to the masses. ;)

ARcanUSNUMquam @ irc.allxtremenet.net

Guest

Post by Guest » Sun Mar 05, 2006 2:01 pm

I hope this DOS prompts the UnrealIRCd team to add a more expansive spamfilter (like a "everything" target, where the action is taken if it is seen in any fashion (banmasks, invites, channel joins, etc)). One of our users reported being hit with this even after we spamfiltered, and we wondered why. It would happen after he joined a channel. We (the opers) joined and investigated. Turns out "startkeylogger" was in the channel ban list. I'm thinking Norton just looks for this word in the plain text goings on between the server and client, no matter what kind of command or numeric it is.

I say most of the blame rests on Norton. They need to get their work together.

A complete list of keywords for this bot, which may or may not be Norton DOS exploitable is at: http://vil.mcafeesecurity.com/vil/content/v_101078.htm

Note so far, I have only heard of start/stopkeylogger and stopspy being triggers. I have not tested/have not heard about the others. Anybody willing to be a victim?

ARcanUSNUMquam @ irc.allxtremenet.net

Syzop
UnrealIRCd head coder
Posts: 1813
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sun Mar 05, 2006 3:41 pm

Spamfilter is not meant as a complete server-level anti virus solution or something... Though, it is doing a good job ;).

Indeed, blame norton.

There has even been some discussion about if using spamfilter to block exploits (such as the mirc exploit of 1+ year ago) is actually a good idea.. because it will encourage less users to upgrade their software with the fix.

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Post by Stealth » Sun Mar 05, 2006 6:41 pm

I have ban version "mIRC 6.0*" and "mIRC 6.11" :P

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sun Mar 05, 2006 7:04 pm

Anonymous wrote:A complete list of keywords for this bot, which may or may not be Norton DOS exploitable is at: http://vil.mcafeesecurity.com/vil/content/v_101078.htm
That list cant all be Norton triggers. Look at some of the words:

auth info passwords threads kill thread startkeylogger stopkeylogger listprocesses killprocess disconnect reconnect server quit reboot xxUninstall httpserver redirect raw spoofdsyn list delete rename execute makedir spy stopspy redirectspy stopredirectspy opencmd cmd get sendto scan kazaa backupfiles
Last edited by Jason on Sun Mar 05, 2006 7:10 pm, edited 1 time in total.
Why the hell can't my signature be empty?
"Your message contains too few characters."

Syzop
UnrealIRCd head coder
Posts: 1813
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Sun Mar 05, 2006 7:08 pm

The fact that the bot/virus knows these commands, doesn't necessarily mean norton executes a kill-connection on all of them.. :P

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Sun Mar 05, 2006 7:10 pm

Of course. But it would, however be nice to get a definitive list, not of the commands, but of the triggers.
Why the hell can't my signature be empty?
"Your message contains too few characters."

nate
Posts: 148
Joined: Fri Jul 29, 2005 10:12 am
Location: Johnstown, Pa
Contact:

Post by nate » Mon Mar 06, 2006 2:50 am

All in all I was posting the two that were really largely known and being used to ping people.

While I blame norton for its paranoia of course, I still would rather not have to listen to the complaints of users when their firewalls lock down on them, so I prevent it where I can.

I'm aware there are several others, but really those two are the ones which seem to trigger an auto lockdown the most.

Thanks [First Guest] for the simpler version, regex in the spam filter is still just a tad beyond me, so I just did it on a simple fix as I knew how to, haha.

judithara

Re: Norton Firewalls - Keylogger Exploit/Trigger

Post by judithara » Thu Oct 29, 2009 11:30 am

What is the difference between norton 360 v2 and v3? II was looking on ebay to buy a norton pack for three computers. V2 is cheaper, is there much difference? Also even cheaper than that is Norton Internet Security 2009, what is the difference in all these, besides price?

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Norton Firewalls - Keylogger Exploit/Trigger

Post by Stealth » Thu Oct 29, 2009 4:16 pm

Why are you even posting on a topic that's 3 and a half years old?

Jobe1986
Official supporter
Posts: 1177
Joined: Wed May 03, 2006 7:09 pm
Location: United Kingdom

Re: Norton Firewalls - Keylogger Exploit/Trigger

Post by Jobe1986 » Fri Oct 30, 2009 3:06 pm

Stealth wrote:Why are you even posting on a topic that's 3 and a half years old?
I'd say it's because of his spam signature :P

Stealth
Head of Support
Posts: 2086
Joined: Tue Jun 15, 2004 8:50 pm
Location: Chino Hills, CA, US
Contact:

Re: Norton Firewalls - Keylogger Exploit/Trigger

Post by Stealth » Fri Oct 30, 2009 3:37 pm

He didn't have a sig yesterday...

Post Reply