Comments on: Norton Internet Security ‘Keylogger’ IRC Bug http://www.darknet.org.uk/2006/03/norton-internet-security-keylogger-irc-bug/ Ethical Hacking, Penetration Testing & Computer Security Sat, 21 Nov 2009 06:04:59 +0000 http://wordpress.org/?v=2.8.6 hourly 1 By: Two Slashes » Blog Archive » Hackers Change Playing Field http://www.darknet.org.uk/2006/03/norton-internet-security-keylogger-irc-bug/#comment-55698 Two Slashes » Blog Archive » Hackers Change Playing Field Sat, 03 Mar 2007 06:18:38 +0000 http://www.darknet.org.uk/2006/03/norton-internet-security-keylogger-irc-bug/#comment-55698 [...] Case in point, #1:  Symantec’s Norton Internet security products have been a target for a while, even if it’s only by script kiddies with a knack for being stupid yet believing their superiority.  It’s not the first time someone’s found flaws either.  I know of several ways in which Symantec’s security software can be disabled in a few clicks. [...] [...] Case in point, #1:  Symantec’s Norton Internet security products have been a target for a while, even if it’s only by script kiddies with a knack for being stupid yet believing their superiority.  It’s not the first time someone’s found flaws either.  I know of several ways in which Symantec’s security software can be disabled in a few clicks. [...]

]]> By: Navaho Gunleg http://www.darknet.org.uk/2006/03/norton-internet-security-keylogger-irc-bug/#comment-65 Navaho Gunleg Fri, 03 Mar 2006 10:52:26 +0000 http://www.darknet.org.uk/2006/03/norton-internet-security-keylogger-irc-bug/#comment-65 <blockquote>Reminds me somewhat of the whole ++ATH0 thing.</blockquote> IIRC, the ATH0 thing could be put in anything though (from a webpage to an email), basically affecting any vulnerable modem that received that block of data over that modem-line. This seems limited to port 6667 Or any other <em>non-privileged ports</em>? I'm wondering -- is there a possible way to evade detection by connecting to an IRC port on port 80? I mean, obviously the word 'startkeylogger' should be nicely received if it seems to come from a webpage. Or does the firewall do deep-inspection on those packets to guess the used protocol?

Reminds me somewhat of the whole ++ATH0 thing.

IIRC, the ATH0 thing could be put in anything though (from a webpage to an email), basically affecting any vulnerable modem that received that block of data over that modem-line.

This seems limited to port 6667

Or any other non-privileged ports? I’m wondering — is there a possible way to evade detection by connecting to an IRC port on port 80? I mean, obviously the word ’startkeylogger’ should be nicely received if it seems to come from a webpage.

Or does the firewall do deep-inspection on those packets to guess the used protocol?

]]>