Network News

X My Profile
View More Activity

Malware-Speak Spooks Symantec

Symantec said Wednesday it plans to tweak the behavior of its Norton Internet Security and Norton Personal Firewall products so that they are no longer vulnerable to an annoying but otherwise harmless prank that "script kiddie" hackers have been using for the past week or so to knock users off online chat channels.

Last week, a hacker known as HM2K posted a note on his blog about a Norton security feature that could be abused on Internet relay chat (IRC) networks, simple, text-based communities that predate modern instant messaging systems. (Most IRC networks are used for the same purpose as regular instant-message networks like AOL Instant Messenger or MSN Messenger -- to facilitate real-time online communication between two or more people at once. But virus and worm writers also use IRC to update and control their networks of infected computers.)

Turns out that if someone types "startkeylogger" or "stopkeylogger" in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).

Though the author said he didn't post the information so that people would abuse it, abuse it they did. It wasn't long after his posting that you could see users dropping like flies from IRC channels in some of the larger communities like Efnet and Dalnet as pranksters began typing the command all over the place, in some cases repeatedly on the same channel. According to several posters on his blog, a number of IRC channels are now filtering out those phrases.

Obviously, this isn't that big a deal; I just thought it was somewhat interesting. HM2K said he believes this particular glitch has been known to be present in Norton products for the past two years. It was designed, of course, as a feature to protect Norton users from Spybot infestations.

A Symantec spokesperson said the "startkeylogger" trick affects only a small number of its customers (read: those geeky enough to frequent IRC) and works because its Norton products "inspect the user's Internet traffic and block the secret commands that malware writers send to their malicious software that they deploy in the field. The company said it was adjusting its "security content to remove this issue which will be rolled out to customers in our next security update," which it said would be delivered automatically to customers.

Still, it said the "technique of blocking commands that are targeted at malware is a power tool that Symantec plans to continue to use." I have to wonder what other magic words (on what other communications channels) might trigger unexpected results for Norton users?

By Brian Krebs  |  March 2, 2006; 12:45 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Update Fixes 13 Security Flaws
Next: Street-Level Credit Card Fraud


I am not a hacker. Just socially retarded.

Posted by: HM2K | March 2, 2006 7:57 PM | Report abuse

"stopspy" is another keyword that the firewall will close the connection for.

Another case where anti-malware acts like the malware it's trying to disable, haha (first case being sony drm).

Posted by: The MAZZTer | March 2, 2006 8:18 PM | Report abuse

You heard it.
script kiddies go home =(

Posted by: hm2k is a tool | March 2, 2006 9:58 PM | Report abuse

Old timers, this is sort of +++ATH0 on IRC :)

Posted by: Ilgaz | March 2, 2006 10:40 PM | Report abuse

script kiddies go home

Or... stop using Windows. A decade of evidence proves that it's a security nightmare.

Posted by: Ron | March 2, 2006 10:47 PM | Report abuse

My firewall is powered by overclocked leeches, and is immune to such juveli~p@p6ra~~@NO CARRIER

Posted by: President Leechman | March 2, 2006 11:22 PM | Report abuse

that sound interesting.
somebody put more "keylogger" kind stuff. it would be fun to get people crazy.

Posted by: Borg | March 3, 2006 12:44 AM | Report abuse

That will teach idiots to use such a cheap and crappy AV and Firewall product.
Not only is it a memory whore but now we find out it's even flakier than we thought.
And people PAY for that crap..

Posted by: Foxhill | March 3, 2006 3:48 AM | Report abuse
Symantec knows this problem
"Possible False Positives

This signature will trigger if bot specific commands are embedded in normal IRC conversation."

Posted by: James | March 3, 2006 3:51 AM | Report abuse

the only who dosn´t know this is the washington post ! :D

Posted by: eric | March 3, 2006 3:53 AM | Report abuse

So the firewall drops the connection when it sees "startkeylogger". Instead of dropping the connection, why not just filter out that word?

Posted by: Daniel | March 3, 2006 8:20 AM | Report abuse

The old trick of "Press Alt + F4 for ops" works great still....

As an op, you can always see at least 10 people drop off a busy channel.

Posted by: Berny Stapleton | March 3, 2006 8:26 AM | Report abuse

Heh, And the funny thing is that if I put my email address in a search engine. It always says theres a virus found. :/

Posted by: anonymous | March 3, 2006 9:56 AM | Report abuse

I like the old rm -rf * in #linuxhelp that usually takes care of the newbies.

Posted by: planet_ | March 3, 2006 12:36 PM | Report abuse

rm -rf *

um, what if i'm in /tmp, or /this/directory/is/not/root/so/you/are/not/clueful

Posted by: nubcaek | March 3, 2006 12:55 PM | Report abuse

HM2K is a former victim of the +++ATH0 command.

Posted by: AOL | March 3, 2006 2:58 PM | Report abuse

Will the real HM2K please stand up.

Posted by: HM2K | March 3, 2006 3:24 PM | Report abuse

I gave up on Norton's products because in order to receive 1,000 or messages at a time I had to sit at the computer and answer questions during the download. It would freeze on one questionable message. If I walked away to do something else I saw the frozen download when I returned. For over a year I have used AVG on five computers and it does a far better job as it runs non-stop throughout the download. I use Cloudmark to catch and move the spam to the spam folder. If you try these you'll be amazed!

Posted by: Al Shaver | March 3, 2006 3:54 PM | Report abuse

wtf? they suck's a l0t

Posted by: brb | March 3, 2006 8:09 PM | Report abuse

# no you have it all wrong. It is:

rm -fr / > /dev/null 2>&1 &

# there is a slight problem with that. You don't
# do NOT want to remove rm, and you do NOT want
# to remove the kernel until the last step BUT
# that command will kill you if logged in as root.


Posted by: Henry Hertz Hobbit | March 4, 2006 7:43 AM | Report abuse

Back in January, we followed your advice to unregister a DLL file to avoid a Windows exploit. Now we need to reverse this, but we can't remember how to do it. I've searched the archive and found the original instructions on how to unregister the DLL file, but how do we put it back? Thanks.

Posted by: J.K. | March 4, 2006 8:47 PM | Report abuse

no one mentions, 'dcc send "string" 0 0 0' ?
which only works if dcc and send are in uppercase.

i could write a great firewall using these techniques and probably code it all on one line.
a good bot to write would be that if the string is typed it would display,
(quit) unkno [] ( Read error: Connection reset by peer )
since i dont use norton firewall, i would like to blend in with the rest.

Posted by: unknown | March 5, 2006 1:43 PM | Report abuse

J.K. -- open a command prompt (start, run, type "cmd" and hit "okay").

then type "regsvr32 shimgvw.dll" without the quotes. It should give you a confirmation that registration of shimgvw.dll succeeded, and you should now be able to view thumbnails again.

Posted by: Bk | March 5, 2006 4:40 PM | Report abuse



Posted by: dfh | March 5, 2006 6:23 PM | Report abuse

You are ALL tossas with very small cocks! P.S I fucked your mumma while you were still a twinky in your fathers eye, script kiddie jerkoffs DIEEE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1111

Posted by: jackarse | March 6, 2006 6:18 PM | Report abuse sell: nokia n70 housing, nokia 6630 housing, nokia 8800 housing, nokia 6670 housing, nokia 3230 housing purple, nokia 8855 housing, nokia 8850 housing, nokia 8910 housing, nokia 3230 housing black, nokia 7610 housing, nokia 7200 housing, nokia 7650 housing, nokia N-Gage QD housing, nokia 7250 housing, nokia 3650 housing, nokia 3660 housing, nokia 7600 housing, nokia 6220 housing, nokia 6230 housing, nokia 6600 housing, nokia 6610 housing, nokia 7210 housing, nokia N-Gage housing, nokia 6800 housing, nokia 8310 housing, nokia 9210 housing, nokia 3310 housing, nokia 3410 housing, nokia 3585 housing, nokia 2100 housing, nokia 8210 housing, nokia 6100 housing, nokia 1100 housing, nokia 6310i housing, nokia 6340 housing, nokia 6360 housing, nokia 8260 housing, nokia 8265 housing, nokia 6210 housing.
name: keiresing
ICQ: 239470786

Posted by: keiresing | March 24, 2006 1:47 AM | Report abuse

Guess what? still NOT patched....Another Reason to remove Norton from your PC, and install AVG....and it's continuing to go on, on IRC since then...annoying...

Posted by: GuessWhat? | April 21, 2006 5:40 PM | Report abuse sell: motorola L6 lcd, motorola L7 lcd, motorola v262 lcd, motorola v80 lcd, motorola v300/v400/v500 LCD, motorola v551 lcd, motorola v265 lcd, motorola mpx220 lcd, motorola a728 lcd, motorola v220 lcd, motorola v3 lcd, motorola v710 lcd, motorola v600 lcd, motorola a760 lcd, motorola v400/v500 lcd, motorola MPX200 lcd, motorola e1000 lcd, motorola e398 LCD, motorola v810 LCD, Motorola v525/v303/v300/v400/v500 LCD complete, motorola a780 LCD, motorola a920 LCD, motorola v720 LCD, motorola v750 LCD, motorola v710 LCD, motorola 328 LCD, motorola 338 LCD, motorola 7860 LCD, motorola 7868 LCD, motorola c150 LCD, motorola m388 LCD, motorola 8260 LCD, motorola e398 LCD, motorola v710 LCD, motorola c350 LCD, motorola t720 LCD complete, motorola t720 LCD with flip, motorola c650 LCD with frame, motorola v220 big LCD with frame, motorola v150 LCD with flex, motorola v8160 LCD with flex, motorola v120 LCD with frame, motorola t182 LCD with flex, motorola v3690 LCD with flex, motorola v8088/v51 LCD with flex, motorola v3688 LCD with flex, motorola v60 LCD with flex, motorola t2688 LCD with flex, motorola v70 LCD with frame, motorola e360 LCD only, motorola t192 LCD only, motorola e380 LCD, motorola c520/m3188 LCD with frame, motorola cd920/928 LCD with PC board, motorola t191 LCD with frame, motorola t189/t2288 LCD with flex, motorola v60 LCD with flex, motorola cd930/938 LCD with PC board, motorola p7689 LCD with frame, motorola 6188 LCD with frame starTAC 80 LCD with PC board starTAC 130 LCD with PC board starTAC 70 LCD with PC board, motorola v66 LCD only, motorola v66 LCD with frame, motorola v60 LCD with flip, motorola c560/m3688 LCD with frame, motorola e365 LCD, motorola v180 LCD.
name: keiresing
ICQ: 239470786

Posted by: keiresing | April 22, 2006 2:25 AM | Report abuse sell: LG 4600 LCD, LG 5220 LCD, LG 7030 LCD, LG c1200 LCD, LG w800 LCD, LG 5400 LCD complete, LG 6060 LCD complete, LG 6200 LCD complete, LG 7020 LCD complete, LG 7050 LCD complete, LG 7100 LCD complete, LG 8080 LCD complete, LG 8180 LCD with flex, LG 8280 LCD complete, LG 8500 LCD complete, LG w3000 LCD with flex, LG 1100 LCD, LG c1100 LCD, LG VX1 lcd, LG VX10 lcd, LG VX2000 lcd, LG VX3100 lcd, LG VX3200 lcd, LG VX3300 lcd, LG VX4100 lcd, LG VX4400 lcd, LG VX4500 lcd, LG VX4600 lcd, LG VX5200 lcd, LG VX5550 lcd, LG VX6000 lcd, LG VX6100 lcd, LG VX7000 lcd, LG VX8100 lcd, LG VX9000 lcd, Lg L1150 lcd, Lg C1100 lcd,LG 4010 LCD, LG 3200 lcd, LG 6100 lcd, LG 6000 lcd, LG vx10 lcd, LG 4500 lcd, LG 1200 LCD, LG 510 LCD complete/CDMA, LG 510 LCD complete/GSM, LG 510 LCD with flex/GSM, LG 520 LCD complete, LG 4400 LCD complete, LG 630 LCD with flip, LG 1200 LCD with flex, LG 3000 LCD with flex, LG 3100 LCD with flex, LG 5200 LCD complete, LG 5250 LCD with flip, LG 5250 LCD complete, LG 5300 LCD with flex, LG 5400 LCD with flip, LG 600 LCD complete.
name: keiresing
ICQ: 239470786

Posted by: keiresing | April 22, 2006 2:26 AM | Report abuse sell: HS801 bluetooth headset, H500 bluetooth headset, HS810 bluetooth headset, HS820 bluetooth headset, HS850 bluetooth headset, HS805 bluetooth headset, HBH65 bluetooth headset, HBH300 bluetooth headset, HBH602 bluetooth headset, HBH608 bluetooth headset, HBH610 bluetooth headset, HBH660 bluetooth headset, HBH662 bluetooth headset, HDW3 bluetooth headset, HS4W bluetooth headset, HS11W bluetooth headset, HS36W bluetooth headset, HS3W bluetooth headset, BTH-70 bluetooth headset, BTH-850 bluetooth headset, TC-001 bluetooth headset
name: keiresing
ICQ: 239470786

Posted by: keiresing | April 23, 2006 8:38 PM | Report abuse sell: nextel i205 housing, nextel i275 housing, nextel i285 housing, nextel i30 housing, nextel i35 housing, nextel i305 housing, nextel i415 housing, nextel i450 housing, nextel i500 housing, nextel i530 housing, nextel i550 housing, nextel i560 housing, nextel i60 housing, nextel i605 housing, nextel i700 housing, nextel i710 housing, nextel i730 housing, nextel i733 housing, nextel i736 housing, nextel i760 housing, nextel i80s housing, nextel i830 housing, nextel i836 housing, nextel i850 housing, nextel i860 housing, nextel i870 housing, nextel i88s housing, nextel i90 housing, nexte i930 housing, nextel i95 housing.
name: keiresing
ICQ: 239470786

Posted by: keiresing | April 23, 2006 8:39 PM | Report abuse sell: motorola v262 housing, motorola v80 housing, motorola c650 housing, motorola v551 housing, motorola v265 housing, motorola mpx220 housing, motorola a728 housing, motorola v220 housing, motorola v3 housing, motorola v710 housing, motorola v600 housing, motorola a760 housing, motorola v400/v500 housing, motorola MPX200 housing, motorola e1000 housing, motorola t720 housing, motorola t720i housing, motorola a768 housing, motorola v60 housing, motorola v66 housing, motorola v70 housing, motorola v290 housing, motorola v300 housing, motorola e380 housing, motorola v60i housing, motorola c350 housing, motorola 388c housing, motorola a6188+ housing, motorola v51 housing.
name: keiresing
ICQ: 239470786

Posted by: keiresing | April 23, 2006 8:49 PM | Report abuse

Hi everyone! I think your site is very interesting and useful. I always bookmarked it.

Posted by: osru | May 12, 2006 7:09 PM | Report abuse

Hi everyone! I think your site is very interesting and useful. I always bookmarked it.

Posted by: osru | May 12, 2006 9:52 PM | Report abuse

sell nextel i930 lcd, nextel i870 lcd, nextel i860 lcd, nextel i830 lcd, nextel i850 lcd, nextel i830 lcd, nextel i730 lcd, nextel i90 lcd, sell nextel i870 flex cable, nextel i860 flex cable, nextel i850 housing, nextel i870 housing, nextel i860 housing, nextel i830 housing, nextel i760 housing, nextel 560 housing, nextel i930 housing, nextel i930 lens, nextel i860 lens, nextel 95 lens, nextel i530 lens, nextel i830 keypad, nextel i730 keypad, nextel i930 antenna, nextel i870 antenna, nextel i860 antenna, nextel i830 antenna, nextel i730 antenna, nextel i836 antenna

please refer to

Crida Technology Co., Ltd.

Posted by: crida | May 13, 2006 12:22 AM | Report abuse


Posted by: naRSLY | July 27, 2006 3:39 PM | Report abuse

Very good site! y2sB7J5r papa johns pizza coupon, papa johns pizza menu.

Posted by: Helga | August 6, 2006 9:34 PM | Report abuse

Complete guide to Contract management software info -
Contract management software guide

Posted by: ebookmania | August 8, 2006 11:40 AM | Report abuse

Best contract management tracking system can help minimize your contract management expenses and also helps you to negotiate better terms, and ensure accurate billing and charges.Learn more about this contract management software how it saves your money and time

Posted by: JOhn benzel | August 8, 2006 11:46 AM | Report abuse

Ez antivirus which im using i havent used symmantec security,I got good info thanks

Know about , learn asset management software , what is asset management and its benefits full info on Asset management software very useful

Posted by: Goel | August 12, 2006 6:38 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company