Full Disclosure mailing list archives
Re: another new worm submission
From: Jerry Heidtke <insecure () ameritech net>
Date: Fri, 04 Jun 2004 19:54:32 -0700
Paul Schmehl wrote:
--On Friday, June 04, 2004 03:55:05 PM -0500 insecure <insecure () ameritech net> wrote:For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*?McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patchdeployed yet? Why are these systems reachable from the Internet over port445?You've got more problems than new worms.One of which is miserable comforters. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
You're right, I made an assumption that the systems were being compromised remotely rather than being deliberately and maliciously hacked by insiders. Would this somehow be less of a problem? Having systems with routable addresses reachable through port 445 is the most likely avenue of compromise, if this is not the case then Josh would be well advised to determine exactly what is going on with his network.
He did say there were more than one infected system that were displaying symptoms of attack against lsass, and that he couldn't find AV definitions to pick it up, although it's been detectable as a variant for up to six weeks, and someone else posted detections by 8 different AV packages. I also stated that there are other components which he didn't find, which was another assumption but one which is proven true by a quick perusal of any AV vendors' write-up on this.
Since the malware he posted doesn't spread automatically and doesn't attack lsass, there is obviously something else going on, which was the point I was trying to make. Apparently I was too obtuse for some people. I think I suggested some avenues of investigation that may prove helpful to the OP. In what way were your comments helpful?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another new worm submission Perrymon, Josh L. (Jun 04)
- Re: another new worm submission Axel Pettinger (Jun 04)
- Re: another new worm submission insecure (Jun 04)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Jerry Heidtke (Jun 04)
- Re: another new worm submission Ron DuFresne (Jun 05)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Christoph Gruber (Jun 07)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- <Possible follow-ups>
- RE: another new worm submission Perrymon, Josh L. (Jun 06)
- RE: another new worm submission Schmehl, Paul L (Jun 07)