Page 1 of 2

Norton Firewalls - Keylogger Exploit/Trigger

Posted: Fri Mar 03, 2006 2:14 am
by nate
Meh, had a few problems on my network with people playing with this shit and causing people to purposely ping out.

Basically (I'm sure most people have heard already) if anyone uses the terms 'startkeylogger' or 'stopkeylogger' it will cause anyone using a Symantic Norton based product with the Firewall (Norton Personal Firewall/Norton Internet Securities/etc) to disconnect temporarily from all IRC, and at times actually completely lock up IRC causing them to not be able to connect at all to any generalized IRC ports.

Easy way to block this is:

Code: Select all

spamfilter {
	regex "startkeylogger";
	target { private; channel; quit; };
	reason "Trying to trigger a Norton firewall to block IRC";
	action block;
};

spamfilter {
	regex "stopkeylogger";
	target { private; channel; quit; };
	reason "Trying to trigger a Norton firewall to block IRC";
	action block;
};
I decided to do a block rather than a kill (No need to be overbrutal), but it can be a nuisence in bigger channels if a lot of people use Norton and just type those phrases to purposely to ping people.

Posted: Fri Mar 03, 2006 9:13 pm
by SpaceDoG
How do you reload the spam filter?

Posted: Fri Mar 03, 2006 9:59 pm
by Jason
/rehash

Posted: Sun Mar 05, 2006 1:49 pm
by Guest

Code: Select all

spamfilter {
   regex "(start|stop)keylogger";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
};
For a more simpler version.

Also, I recommend using all the targets possible. (I'm not typing them in because its 547am and my bed is calling) We've had reports of people being booted for joining a channel and then getting a list of bans., which happened to have "startkeylogger" in it.

Also, I've heard of "stopspy" being used from the irc-security mailing list, so heres a spamfilter for that

Code: Select all

spamfilter {
   regex "stopspy";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
}; 
Combining both this and the above we get:

Code: Select all

spamfilter {
   regex "((start|stop)keylogger|stopspy)";
   target { private; channel; quit; };
   reason "Trying to trigger a Norton firewall to block IRC";
   action block;
}; 
I'm not sure if this one works though. I know the first two do. We use action kill; Sends a nice message to the masses. ;)

ARcanUSNUMquam @ irc.allxtremenet.net

Posted: Sun Mar 05, 2006 2:01 pm
by Guest
I hope this DOS prompts the UnrealIRCd team to add a more expansive spamfilter (like a "everything" target, where the action is taken if it is seen in any fashion (banmasks, invites, channel joins, etc)). One of our users reported being hit with this even after we spamfiltered, and we wondered why. It would happen after he joined a channel. We (the opers) joined and investigated. Turns out "startkeylogger" was in the channel ban list. I'm thinking Norton just looks for this word in the plain text goings on between the server and client, no matter what kind of command or numeric it is.

I say most of the blame rests on Norton. They need to get their work together.

A complete list of keywords for this bot, which may or may not be Norton DOS exploitable is at: http://vil.mcafeesecurity.com/vil/content/v_101078.htm

Note so far, I have only heard of start/stopkeylogger and stopspy being triggers. I have not tested/have not heard about the others. Anybody willing to be a victim?

ARcanUSNUMquam @ irc.allxtremenet.net

Posted: Sun Mar 05, 2006 3:41 pm
by Syzop
Spamfilter is not meant as a complete server-level anti virus solution or something... Though, it is doing a good job ;).

Indeed, blame norton.

There has even been some discussion about if using spamfilter to block exploits (such as the mirc exploit of 1+ year ago) is actually a good idea.. because it will encourage less users to upgrade their software with the fix.

Posted: Sun Mar 05, 2006 6:41 pm
by Stealth
I have ban version "mIRC 6.0*" and "mIRC 6.11" :P

Posted: Sun Mar 05, 2006 7:04 pm
by Jason
Anonymous wrote:A complete list of keywords for this bot, which may or may not be Norton DOS exploitable is at: http://vil.mcafeesecurity.com/vil/content/v_101078.htm
That list cant all be Norton triggers. Look at some of the words:

auth info passwords threads kill thread startkeylogger stopkeylogger listprocesses killprocess disconnect reconnect server quit reboot xxUninstall httpserver redirect raw spoofdsyn list delete rename execute makedir spy stopspy redirectspy stopredirectspy opencmd cmd get sendto scan kazaa backupfiles

Posted: Sun Mar 05, 2006 7:08 pm
by Syzop
The fact that the bot/virus knows these commands, doesn't necessarily mean norton executes a kill-connection on all of them.. :P

Posted: Sun Mar 05, 2006 7:10 pm
by Jason
Of course. But it would, however be nice to get a definitive list, not of the commands, but of the triggers.

Posted: Mon Mar 06, 2006 2:50 am
by nate
All in all I was posting the two that were really largely known and being used to ping people.

While I blame norton for its paranoia of course, I still would rather not have to listen to the complaints of users when their firewalls lock down on them, so I prevent it where I can.

I'm aware there are several others, but really those two are the ones which seem to trigger an auto lockdown the most.

Thanks [First Guest] for the simpler version, regex in the spam filter is still just a tad beyond me, so I just did it on a simple fix as I knew how to, haha.

Re: Norton Firewalls - Keylogger Exploit/Trigger

Posted: Thu Oct 29, 2009 11:30 am
by judithara
What is the difference between norton 360 v2 and v3? II was looking on ebay to buy a norton pack for three computers. V2 is cheaper, is there much difference? Also even cheaper than that is Norton Internet Security 2009, what is the difference in all these, besides price?

Re: Norton Firewalls - Keylogger Exploit/Trigger

Posted: Thu Oct 29, 2009 4:16 pm
by Stealth
Why are you even posting on a topic that's 3 and a half years old?

Re: Norton Firewalls - Keylogger Exploit/Trigger

Posted: Fri Oct 30, 2009 3:06 pm
by Jobe
Stealth wrote:Why are you even posting on a topic that's 3 and a half years old?
I'd say it's because of his spam signature :P

Re: Norton Firewalls - Keylogger Exploit/Trigger

Posted: Fri Oct 30, 2009 3:37 pm
by Stealth
He didn't have a sig yesterday...