Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Viral infection via Serial Cable
From: James Tucker (jftuckergmail.com)
Date: Wed Sep 01 2004 - 14:26:34 CDT
Once again this discussion is drifting very far away from the FACTS,
let alone relevance:
1. On a BBS you connect through a modem; a modem (typically) uses an
AT command set, and you would require another modem to connect to.
Data transfer happens as a subset of this command set. These protocols
are not available at the computer end unless you have built an
application to emulate a modem.
2. On a BBS you would have actively downloaded the file yourself, this
is not going to happen anywhere near the RS232 in this case, the virus
will come from an EXTERNAL link first, and the question was if it
could infect over a new outbound media, RS232.
3. As I and others have clearly stated in previous posts, RS232 can
carry DATA therefore can theoretically transfer a virus.
4. Most viruses in circulation today use TCP/IP or higher level
protocols, not native RS232.
5. If a virus could use native RS232 it would require the ability to
exploit something on the other end, Windows itself does not respond to
incoming serial data, except where it thinks it has detected a mouse
(possibly one of the best ways to exploit this unit) this would be an
almsot impossible to compute exploit however.
6. TCP/IP can be turned on for use over RS232 ports in Windows, this
shows up as "Incoming Connections" in the network connections folder.
It is unlikely this has been done, however if it has it should be
locked down. This method would require the client computer to also run
a TCP/IP stack at the other end, if this has not been set up by the
user then we have a further likelihood of no TCP/IP stack attached (in
software) to the RS232 port.
7. There are other serial protocols in existence besides TCP/IP,
however these are not available by default on an NT box, furthermore
most of these protocols have a "wait for accept" implementation.
8. The most feasable form of exploit which could be used against this
box in all likelihood would be to not exploit it at all, but just to
send (protocol wise) fully legal messages to the unit, instructing it
to do something it otherwise would never be intended to do.
If you want to have an "i'm an old fogey" or "mines bigger than yours"
contest please do it off the list. There are always people in the
world who will know more than you on a particular topic, and there are
always bigger bullies somewhere else in the world. You can't beat them
by not joining forces so stop pissing on each other and just start
learning please. While this list is unmoderated, and I agree with
that, your responses are unnecessary and not even interesting to read.
Oh and for the pissing contest anyway, I'm under 25 and I used to
actively use a 1200 baud for BBS access, frankly it seems neither of
you understand how viruses worked in those days (despite probably
having been there before me). That would be hyperterm style not phpBB
style. One such example would be the hamster virus:
http://www.f-secure.com/v-descs/hamster.shtml, a virus not indexed by
most anti virus companies anymore. The Firkin virus used to sometimes
dial out on modems, typically dialing 911; it would do this by probing
all the RS232 ports on the machine and using the AT command set to
control a modem - not appropriate here. Personally I never saw or
heard of a virus which tries to communicate with another computer
attached to an RS232 port (maybe a laplink virus or the like??), as
this is an unusual scenario. Even more unusual than that would be a
live protocol suitable for data transfer, code execution, and / or
general exploitation; the only exception being a known network
protocol, which would provide a higher layer for the virus to interact
Full-Disclosure - We believe in it.