Re: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2 remote root exploit)

[Cael Abal <lists () onryou com>]

> Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
> 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of 
> information
> security, at GOBBLES security. 
>
> Let's examine the case at hand:
>
> 1) Someone makes the effort of cutting up an existing public GOBBLES
> shellcode. An act that requires just as much effort as writing
> original opcode.
>
> 2) This cutup version is used in a 'trojan' even my grandmother
> would be able to spot. (Obscure in-exploit overflows are way more
> effective folks, ask HD "I pioneered screensavers" Moore). 
>
> 3) Some random hero pops up on the list pointing out that
> 'hey, this is GOBBLES shellcode *WINK*'
>
> Now who, on God's green earth, would recognise shellcode from
> an obscure exploit that was published months ago. If they
> didn't have it fresh in memory? 
>
> So I think it's rather obvious either zeroboy, or one of his
> friends is responsible for this trojan. And he has some sort of
> rancune towards GOBBLES. Either that or he
> has a serious hardon for memorising hex opcode buffers.

Hi, Mitch -- welcome to the Internet!  Here's a tool you might find
helpful, it's called a 'Search Engine'!  ;)

A quick google for a few bytes worth of shellcode returned a few pages
of jinglebellz.c related discussion.

http://www.jikos.cz/jikos/dev/shcode.asm for example.

C

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html