Symantec bites the hand that feeds..
Posted by jericho
Just over ten years ago (95-09-15) Hobbit wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. Hobbit was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld’s version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat’s use and distribution.
Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, “is that to say that SYM bought a company known then for offering naughty things?” Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository.
Also amusing are Symantec’s “technical details” for this “hacker tool”:
Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation.
When Hacktool.NetCat is executed, it performs the following actions:
1. Transmits data across network connections.
Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as “Hacktool.TCPIP” and label it a “High Risk Impact” if found on a system.
After following some links about this, I noticed “WEB-MISC nc.exe attempt” in my snort logs.
I can see the value in listing this as a potential worry, but I agree classifying it as “High Risk” is silly.