[thelist] [OT - For USA] Got any special plans for November 2nd?

Allen Schaaf techwriter at sound-by-design.com
Wed Oct 20 00:20:43 CDT 2004


At 08:31 PM 10/19/04, Scott Dexter wrote:

>--- Allen Schaaf <techwriter at sound-by-design.com> wrote:
>
> > While I realize this is somewhat off-topic (we are working on
>
>Try /COMPLETELY/ off-topic.
>
>There is a chat-specific list right here at evolt.org -- thechat
>(http://lists.evolt.org/mailman/listinfo/thechat)
>
>Please keep off-topic banter to that list, or at the very least "pay"
>for the posting with a <tip> :)

You are quite correct. I did not pay with a tip, so here it is.

/TIP ----->
Be very careful about posting any exe files that might have been created by 
Windows NT, 2000, XP, or any executable file like screen savers, GIF 
animations, etc., to your web site.

The reason is ADS - no, not advertising, but rather Alternate Data Streams. 
They work sort of like pre-OSX Mac file in that they have two forks. There 
is the visible one which is the cute greeting card or whatever and the 
other is quietly installing a back door or Trojan on the computer of the 
person who downloaded it.

At the very least run all files through software like <adscheck.exe>.

A very good FAQ is at: 
http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams  which 
is the home of <adscheck.exe>

They also have a bunch of other free tools on their downloads page.

--------->EndTIP/

And since I was a bad, bad boy, here is another one.

/TIP ------->
Be very careful opening Word .doc files which have macros. There is one 
particular one that allows _ANY_ file on your system to be attached and 
mailed back to the sender when you return the file after you open it, edit 
it and save it.

It is best to avoid Word .doc files if at all possible, but a lot of people 
compose e-mail in Word and mail via Outlook and have macros in their e-mail 
that prevent seeing the e-mail unless you enable the macros.

I won't give the the code for the exploit here as it is too simple to do. 
But I will tell you that the problem goes back until at least Word 97 and 
I'm told Word 95 and Word 4.2 can do it as well.

This can be very sneaky as it can be in two point white type in a cell that 
runs vertical alongside the regular text of the document.

The only real protection is opening the file in a plain text editor and 
saving it again. Yes, you will the fancy stuff and you will lose the "track 
changes" function, but you will have a safer computing experience as a result.

Here is the information from Microsoft about this:

>
>Links and References
>
>
>
>You can use these fields to insert AutoText entries or bookmark text, to 
>insert text and graphics from other documents or applications, or to 
>insert cross-references:
>
>
>Field Name Description
>
>
>
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fautotext.asp>AutoText 
>Inserts an AutoText entry
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fautotextlist.asp>AUTOTEXTLIST 
>Inserts text based on a style
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fhyperlink.asp>Hyperlink 
>Opens and jumps to the specified file
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fincludepicture.asp>IncludePicture 
>Inserts the specified graphic
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fincludetext.asp>IncludeText 
>Inserts the contents of another document or the contents marked by a 
>bookmark in a source document
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2flink.asp>Link 
>Establishes a link with content from another application's file using 
>object linking and embedding (OLE)
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fnoteref.asp>NoteRef 
>Inserts the number of a footnote or endnote
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fpageref.asp>PageRef 
>Inserts the page number of a bookmark for a cross­reference
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fquote.asp>Quote 
>Inserts the specified text into a document
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fref.asp>Ref 
>Inserts the contents marked by the specified bookmark
> 
><http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fsupport%2fword%2fusage%2ffields%2fstyleref.asp>StyleRef 
>Inserts text from paragraphs that use the specified style

You may say, "So what?" but I can tell you that since certain files on a 
Windoze box are consistent across most computers, like "My Documents" on 
the C:\ drive, it is very easy to grab the password file off your computer 
and hack it with John the Ripper offline and then use a remote access tool 
that was planted with the ADS mentioned above to gain control over your 
box(es) and turn it(them) into a spamhaus(en) without you even knowing it.

------> EndTIP/

And I promise I'll be better in the future. Got my lists mixed up.



Allen Schaaf
Senior Technical Writer and Documentation Developer
Certified Network Security Analyst and
Intrusion Forensics Investigator - CEH, CHFI

Papageno: "What should we say now?"
Pamina: "The truth, the truth, ...even if it is a crime." 


More information about the thelist mailing list