Full Disclosure mailing list archives
FW: smarter dcom worm
From: "Bassett, Mark" <mbassett () omaha com>
Date: Wed, 13 Aug 2003 13:56:05 -0500
-----Original Message----- From: Bassett, Mark Sent: Wednesday, August 13, 2003 1:56 PM To: 'gml' Subject: RE: [Full-disclosure] smarter dcom worm Using Netbios over the internet would not be a very reliable spreading technique. It would work great for LAN infection. Besides someone might actually notice a shared folder :P -----Original Message----- From: gml [mailto:gml () phrick net] Sent: Tuesday, August 12, 2003 6:58 PM To: 'Justin Shin'; 'Full-Disclosure () Lists Netsys Com' Subject: RE: [Full-disclosure] smarter dcom worm I agree with Justin. You would think that by now someone would write a random address generator that would solve the obvious timing problems that Most worms seem to suffer from. I was thinking more along the lines of Generating a random IP but on the first 3 octets and going through the Entire class C. Also, why did this worm carry around a dummy tftp server? NetBIOS is available as a transport method natively in the target OS. Don't get me wrong NetBIOS isn't the most reliable of network file systems But it is certainly more lightweight to use this approach than an embedded tftp server. I think it also solves that whole filtering "problem" to an extent. I am also not trying to encourage, this worm was a serious pain for me this week as I imagine it was for a lot of people. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Justin Shin Sent: Tuesday, August 12, 2003 6:32 PM To: Full-Disclosure () Lists Netsys Com Subject: [Full-disclosure] smarter dcom worm As many people have said, this worm sucks. First of all, look at the host discovery mechanism. Random IP's are sooooo outdated. A better idea? Start with: 1. Subnet (192.168.x.x) 2. WAN Address [for nat's] (24.31.34.x) 3. Incremental WAN (24.31.x.x) Obviously not a new idea but also not a bad one. I am sure that your average college-level math professor could simplify the host discovery process. tftp: slow, old, but easy to use. probably straight up ftp would be a better dropping protocol, no? registry/run is the oldest known startup method. try actually using MULTIPLE startups, like Registry RunServices, RunOnce, RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc. once installed, the program should spawn copies of itself, using startup methods, hidden files, fake system exes, etc. it should block out filenames of patches, windowsupdate stuff, fixes, to stop newbies from fixing it. the worm should also have a more interesting payload -- such as lookin at inetpub and htdocs, etc. note -- im not trying to encourage this stuff, i am just pointing out some key flaws in this worm. the next one may have all of these features and much more, because I am not a very creative guy. -- Justin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ************************************************************ Omaha World-Herald Company computer systems are for business use only. This e-mail was scanned by MailSweeper ************************************************************ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Firewalls, (continued)
- Re: Firewalls CHeeKY (Aug 13)
- Re: Firewalls Nathan Seven (Aug 14)
- RE: smarter dcom worm Joey (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- RE: smarter dcom worm gml (Aug 13)
- Re: smarter dcom worm Gabe Arnold (Aug 13)