Full Disclosure mailing list archives
Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit)
From: Cael Abal <lists () onryou com>
Date: Fri, 24 Oct 2003 20:35:24 -0400
Hrmm. Ok I'm no Sherlock Holmes but even I could see through this 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of informationsecurity, at GOBBLES security.Let's examine the case at hand: 1) Someone makes the effort of cutting up an existing public GOBBLES shellcode. An act that requires just as much effort as writing original opcode. 2) This cutup version is used in a 'trojan' even my grandmother would be able to spot. (Obscure in-exploit overflows are way moreeffective folks, ask HD "I pioneered screensavers" Moore).3) Some random hero pops up on the list pointing out that 'hey, this is GOBBLES shellcode *WINK*' Now who, on God's green earth, would recognise shellcode from an obscure exploit that was published months ago. If theydidn't have it fresh in memory?So I think it's rather obvious either zeroboy, or one of his friends is responsible for this trojan. And he has some sort of rancune towards GOBBLES. Either that or he has a serious hardon for memorising hex opcode buffers.
Hi, Mitch -- welcome to the Internet! Here's a tool you might find helpful, it's called a 'Search Engine'! ;) A quick google for a few bytes worth of shellcode returned a few pages of jinglebellz.c related discussion. http://www.jikos.cz/jikos/dev/shcode.asm for example. C _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) mitch_hurrison (Oct 24)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Cael Abal (Oct 24)
- [Full-Disclosure] Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) zero (Oct 24)
- <Possible follow-ups>
- Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) mitch_hurrison (Oct 24)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Cael Abal (Oct 25)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Jirka Kosina (Oct 26)
- Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit) Ron DuFresne (Oct 27)