Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Backdoor.Sdbot.N Question

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 09 Sep 2003 15:12:32 +1200
"James Patterson Wicks" <pwicks () oxygen com> wrote:


Anyone know how Backdoor.Sdbot.N spreads?  ...


Sure.

It doesn't.

"Backdoor", if properly used in naming malware (with commercial AV 
vendors that is long odds, but let's assume...) is a classification of 
a non-replicating and thus non-self-spreading form of malware.  Thus, 
the answer is, it doesn't spread by itself.

Of course, it can be pread by any means of software distribution you 
can imagine _other than_ those that fall under self-replication.


...  This morning we had several
users pop up with this trojan (or a new variant).  ...


What precisely do you mean by this?

You go on to say that whatever it is they have is not detected by your 
virus scanner, so how do you know what these machines have?  (Let alone 
to such a fine degree of variant naming as ".N"??)


...  These users generated a
ton of traffic until their machines were unplugged from the network. 
There systems have all the markers for the Backdoor.Sdbot.N trojan
(registry entries, etc), but was not picked up by the Norton virus scan. 
In fact, even it you perform a manual scan after the trojan was
discovered, it is still not detected in the scan.


Perhaps it is a repackaged version of that malware.

Perhaps it is an entiirely new malware that just happens to use the 
same settings?  (The fashion of using existing "legitimate" filenames, 
or close appoximations thereto, coupled with the rather limited 
imaginations of your typical skiddies means that originality in such 
matters is not common...)


I would also like to know if this is also an indicator of not having the
patch for the Blaster worm.


Well, as we really have no idea what you actually have, it would be a 
tad tricky to say anything much useful about that...  You have the 
machines though, so why don't you test them for the installation of the 
patch.

As to the "big picture" of your question -- these machines could have 
almost anything distributed almost any way.  The last few days exploits 
of the "Object Data Tag" vulnerability of MS03-032 have been popular 
for "distributing" all manner of scumware, so maybe they got smacked 
with one of those?  Or maybe with any of dozens of other things.

Have you sent the suspect file(s) from these machines to a couple of 
malware analysis labs?  To save you looking them up, here are the 
suspicious file submission addresses of the better known AV developers:

   Command Software             <virus () commandcom com>
   Computer Associates (US)     <virus () ca com>
   Computer Associates (Vet/EZ) <ipevirus () vet com au>
   DialogueScience (Dr. Web)    <Antivir () dials ru>
   Eset (NOD32)                 <sample () nod32 com>
   F-Secure Corp.               <samples () f-secure com>
   Frisk Software (F-PROT)      <viruslab () f-prot com>
   Grisoft (AVG)                <virus () grisoft cz>
   H+BEDV (AntiVir):            <virus () antivir de>
   Kaspersky Labs               <newvirus () kaspersky com>
   Network Associates (McAfee)  <virus_research () nai com>
   Norman (NVC)                 <analysis () norman no>
   Sophos Plc.                  <support () sophos com>
   Symantec (Norton)            <avsubmit () symantec com>
   Trend Micro (PC-cillin)      <virus_doctor () trendmicro com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: