Re: another new worm submission

[Jerry Heidtke <insecure () ameritech net>]

Paul Schmehl wrote:

> --On Friday, June 04, 2004 03:55:05 PM -0500 insecure 
> <insecure () ameritech net> wrote:
>
> > McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is
> > not a worm, it's a trojan. Your systems are being remotely compromised,
> > possibly with an auto-rooter targeting the lsass vulnerability, which
> > instructs the compromised system to download, install, and run this
> > trojan. This trojan includes a keystroke logger, and additional
> > components that you seem to have missed. Assume that system and any web
> > site passwords have been compromised. Warn the users of these systems
> > that unless they change any financial site passwords they are likely to
> > be victims of theft.
> >
> > How are these system getting compromised? Why don't you have this patch
> > deployed yet? Why are these systems reachable from the Internet over 
> > port
> > 445?
> For someone who knows nothing about his network, you sure are willing 
> to make a lot of assumptions. You admit you don't know how the systems 
> were compromised and you don't know what compromised them, yet you 
> castigate him for leaving port 445 open and not patching and you 
> assume this happened *remotely*?
>
> > You've got more problems than new worms.
> One of which is miserable comforters.
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/

You're right, I made an assumption that the systems were being 
compromised remotely rather than being deliberately and maliciously 
hacked by insiders. Would this somehow be less of a problem? Having 
systems with routable addresses reachable through port 445 is the most 
likely avenue of compromise, if this is not the case then Josh would be 
well advised to determine exactly what is going on with his network.

He did say there were more than one infected system that were displaying 
symptoms of attack against lsass, and that he couldn't find AV 
definitions to pick it up, although it's been detectable as a variant 
for up to six weeks, and someone else posted detections by 8 different 
AV packages. I also stated that there are other components which he 
didn't find, which was another assumption but one which is proven true 
by a quick perusal of any AV vendors' write-up on this.

Since the malware he posted doesn't spread automatically and doesn't 
attack lsass, there is obviously something else going on, which was the 
point I was trying to make. Apparently I was too obtuse for some people. 
I think I suggested some avenues of investigation that may prove helpful 
to the OP. In what way were your comments helpful?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html