Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: Re: ICQ 2000

Re: ICQ 2000

Blue Boar (BlueBoarTHIEVCO.COM)
Sat, 30 Oct 1999 14:34:25 +0000

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Blue Boar: "Re: Possibly exploitable overflow in Alibaba 2.0"
Previous message: Blue Boar: "Re: AIM 3.0"
In reply to: Paul Keefer: "AIM 3.0"
Next in thread: Int_13h: "Re: ICQ 2000"

Bernie Cosell wrote:
> What, exactly, does it do? --- sorry to be dumb about this, but 'trojan'
> means too many different things to different people for me to be sure
> what you mean here. Does it provide a backdoor to folk to access your
> system? Can they do *ANYTHING* via that back door?

It doesn't *appear* to do anything besides try to talk ICQ users
into installing it. Of course, it could potentially be much
more clever than that. Discovering if that's the case is a
much, much harder problem.

I think most of us are using personal experience to *assume*
it isn't doing more, mostly due to the fact that it has an
overt behaviour, and that it doesn't try to actually make
itself run again later.

But, yes, we may be all sadly mistaken, and it could be looking
for it's master to give it a virtual DOS prompt on your
box via ICQ.

There are BO plugins that will make it call IRC and inform people
of it's existance. The next logical step, in my mind, was to make
BO take commands via IRC too, totally bypassing many firewalls.

> [I guess what I'm saying here is that the way I use the terminology, it
> was obvious it was a trojan: since it pretended to be an ICQ beta and
> clearly wasn't and did _something_ [my definition of a trojan]... what
> I'm not clear on is what *payload* the trojan delivered... Thanks!
>

There's a major discussion going on, I think on the Firewalls mailing
list about whether BO2K is a trojan or not. There are some good
points made there.

I'd rather avoid the religious war on terminology here if at all
possible.
This particular piece of code is clear enough in it's behaviour, I
think,
that it doesn't require discussion.

Next message: Blue Boar: "Re: Possibly exploitable overflow in Alibaba 2.0"
Previous message: Blue Boar: "Re: AIM 3.0"
In reply to: Paul Keefer: "AIM 3.0"
Next in thread: Int_13h: "Re: ICQ 2000"

This archive was generated by hypermail 2.0b3 on Sat Oct 30 1999 - 16:34:54 CDT