Norton Internet Security DoS Vulnerability

[Asmo]

"I'm not quite sure what the problem is with this, but I'm told its a problem with norton personal firewall", this URL starts which have been going around IRC as a running fire.

Users who make use of the Norton Internet Security package will be disconnected from their IRC server when they receive any message, be it channel, private, notice when they contain the words startkeylogger or stopkeylogger.

These two commands are part of the list of commands for Spybot for which Norton released new code which introduced this bug.

Some users are going around populated channels now pasting the two commands. Some networks, like EFnet are acting against such users with kills, as we can see from the publicly available list of last executed kills and their reasons.
_________________
Asmo

webmaster www.IRC-Junkie.org

[Delta]

Supposidly at least 1 channel on rizon put it in their topic, so any time someone did /list, it would pick it up, heh

~Francisco

[Thunderguy]

Is it just on Irc or anywhere? You have it in plaintext in the html code on your main page, I hope everyone that goes to www.Irc-Junkie.org and has Norton doesn't get disconnected.

[Asmo]

I'll be laughing myself in a 90 degree angle if that is happening =D

All praise to Norton for making such code public in such a widespread and money-making package! ;)
_________________
Asmo

webmaster www.IRC-Junkie.org

[Delta]

It seems to only happen if it comes over port 6667 since the spybot virus connected only over that port

~Francisco

[phrozen77]

roflmao


spamfilter added - now i wonder how many actually try this lololol

[Lame_nick]

This is kinda stupid of Norton, this just had to be exploited some day...
Yeah, this does only work on IRC.
Delta, I think the spybot worm may connect to 6667-7000.

[SpaceCat]

lollllllllllll bullshhhhh..
(08:11:16:am) (CatfishMan) i have norton internet security 2005
(08:11:25:am) (W-T) startkeylogger
(08:11:30:am) (CatfishMan) nothing happens

Plus a company like symantec wouldnt screw up with a so easy to see bug so nvm lol
_________________
irc.omegairc.org #Galaxy

[Lame_nick]

SpaceCat, you really think this is bullsh*t? It works. I know it does. So does many others. Maybe that guy didn't have the firewall activated or something?

[Mentality]

"Plus a company like symantec wouldnt screw up with a so easy"

Umm, yes they would. This isn't the first time this has happened. I remember a couple of years ago (I think it affected NAV 2003), if you did a /list on DALnet, people had put a certain virus string in the topic of a channel. Once the /list had processed that channel name, NAV would pop up saying that your computer was infected. I saw this myself, it happened on my computer. DALnet IRC Operators then changed the topic if I recall correctly.

Since when have big companies not been prone to fuck ups? Have you ever used Windows Update?

Regards,
_________________
Mentality/Chris

[DreamGirl]

Big thanks for this news!! With all blocks in place this has spared many much irritation
_________________
Together we make IRC work, one smiling face at a time

[phrozen77]

[Asmo]

Article in the Washington Post.
_________________
Asmo

webmaster www.IRC-Junkie.org

[Asmo]

And Symantec released a fix now :)

BTW, I see all newspapers claiming the Washington Post article as the source, but they did not reported about it 2 days or so after IRCJunkie did. Darn, even Slashdot did! Normally they would be slashdotting me... Ah well ;)
_________________
Asmo

webmaster www.IRC-Junkie.org

[phrozen77]

the question is, if you really want to be slashdotted..

i read an article quite a while ago and after that i wasnt too sure if _i_ still would want that....

in summary, it also has negative effects, just like getting your network into servers.ini