[Dshield] Kazaa inquiry to dst port 80?

Doug doug at dwhite.ws
Mon Nov 25 14:22:15 GMT 2002

Thank you for your post.

Spyware may be described as any program or application that is sometimes
referred to as "Calls home" (Paraphrased from the movie "ET.") and does so
without your authority or knowledge.  These programs are planted on your
computer system for the purpose of obtaining personally identifiable information
that you have stored on your computer.

It is very dangerous to allow programs such as KaaZaA to be used on a work
computer or a business network, because of the danger of the disclosure of
private business information.

There are a number of programs in the public domain whose function is to search
your computer for spyware, and provide a means of removing it.  A problem comes
up when allowing programs such as KaaZaA to be used is that it merely reinstalls
the spyware, and thus makes your private information available to the script
kiddies, advertisers, or to most anyone else.

It is a good thing to block the installation of any software that is known to
also install spyware.  One of the unpleasant characteristics if such programs is
that even when uninstalled from your system, they will leave the spyware behind
and in full operation.

You can become more familiar with programs that spy on your personal information
by joining the discussion groups at http://grc.com.

Unfortunately in this inter-connected world, that we call the internet is
populated by not only malicious script kiddies but by even government sponsored
intelligence gathering.   The end result is that it has become the
responsibility of each computer and network administrator to add to their skill
set that of securing their respective systems from unauthorized access by
others, and to prevent the disclosure of personal or business information to
others except to the extent intended.

Among some of the insidious applications in the wild are:

1. keylogger:   Records, maintains a record of and reports to a remote location
the keystroke history of a computer user.
2. backdoor Trojan,  attempts to provide access to others to your computer or
network despite the security you have in place.
3. virus/worm  Attempts to hijack your email client to replicate itself, or use
your computer as an unwilling participant in transition malicious code or
packets to other systems (sometimes referred to as a "distributed denial of
service" attack.  Or to damage your system or file structure so as to make your
own system unusable for its intended purpose.

No matter the operating system in use, there are known (and unknown)
vulnerabilities that are being discovered (and hopefully patched)

There are many more, of course, and the list is growing almost daily.

Good luck in your studies!

This address is filtered through the open relay database at http://www.ordb.org
and is virus scanned by ANTIVIR
mailto:doug at dwhite.ws
----- Original Message -----
From: "dominique fiori" <dominiquefiori at numericable.fr>
To: <list at dshield.org>
Cc: <hi!@dshield.org>
Sent: Monday, November 25, 2002 4:24 AM
Subject: Re: [Dshield] Kazaa inquiry to dst port 80?

| I am just a beginner on security issue but i would like to intervene on a
| point we covered last week at Uni. I study linux Web admin + security and the
| teacher just warned us on major security issue on KaZaA.
| Hackers, lamers, script b kiddies seem also to hang on that soft in order to
| get easy info.
| I understood from my teacher intervention that KaZaA should not be
| authorized in a work environment unless absolutely mandatory as per company
| business.
| when you register on Kazaa you enter a IN name that could be your own name,
| surname or an alias.
| kazaa writes on your hard disk and without any warning spy wares. their names
| will take the name of your login.
| What is in those spy-wares ? what has been downloaded and is not any more on
| your hard disk, the alias of the person you got the data from and what you
| are downloading and of course what you should download next and WHAT ARE YOU
| Those Kazaa spy-wares are located on the shared  directory that other Kazaa
| people can access. I am new on security training but I immediately see the
| danger.
| A hacker could use those info to contact other people from Kazaa pretending
| being you and then trough trust, social engeeniring or else pretend be you.
| imagine that one of your guys falls into that trap.
| I believe there is a huge gap for a security breach here or at least a start
| for further damaging.
| Look I am French therefore that English langauge I like is not mine therefore
| please excuse my spelling mistakes, pidgeon English whatever. do not think
| because of this that my information is not valid.
| Warmest regards and thanks to the numerous people who helped me since the day
| I got stolen 600 megs of data over the net and decided to study security.
| It does not only happen to others !
| Dominique
| On Sunday 24 November 2002 19:05, you wrote:
| > Josh:
| >
| > On Thu, Nov 21, 2002 at 05:57:53PM -0600, Josh Ballard wrote:
| > > > Thought this a bit odd. Notice that the destination port on my end is
| > > > TCP:80
| > > >
| > > > Usually I'd see TCP:1214 on my end.
| > >
| > > As per the options in the newest KaZaA client, if it "feels" filtered,
| > > the next thing it does is attempt to run on port 80.  Pretty much KaZaA
| > > is doing a pretty good job of beating most firewalls right now, but I
| > > did say most.  I've even heard from some of the commercial companies
| > > that say they are a couple weeks out of having updates of their software
| > > out to "fix" this.  I've got a semi-standing solution, though I'm in the
| > > middle of research on this.  Hope that helps.
| >
| > Interesting.
| >
| > I'm not actually filtering Kazaa on 1214, but there's no Kazaa client
| > there either: I'm running my little ACK_hole proggie, which sits on a
| > port and accepts packets, all the while dropping them much like the
| > UNIX discard service.
| >
| > Thanks..
| >
| >
| > - John
| _______________________________________________
| Dshield mailing list
| Dshield at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list