RE: Zotob Worm Remover

["Todd Towles" <toddtowles () brookshires com>]

Wireless really isn't a issue. You can get a worm from a cat 5 as easy
as you can from wireless. The problem was they weren't patched. Why
weren't they patched? Perhaps Change policy slowed them down, perhaps it
was the fear of broken programs..perhaps it was the QA group..it doesn't
really matter. They go the worm because they were not patched.

This worm isn't just proof, it is more proof. But everyone on the list
is fully aware of the holes in corporate networks. Spear-phishing,
custom modified keyloggers, rootkit/botnet drive by installs... This
worm didn't proof anything new to any IT professional.

-Todd 

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk 
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of n3td3v
> Sent: Monday, August 22, 2005 11:30 AM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Zotob Worm Remover
>
> On 8/22/05, Todd Towles <toddtowles () brookshires com> wrote:
> > Diabl0 will be happy to know that it just deletes the worm
>
> The worm is just proof that corporate security can be 
> by-passed. It shows how hackers can target individuals within 
> the enterprise and compromise their wireless device over the 
> weekend while the corporate user is doing out of office work.
>
> The wireless devices were most likely the primary source of 
> the spread. Media outlets are reporting wireless devices were 
> only an accessory to the spread of the worm. Isn't it the 
> case that this worm was carefully planned out and 
> coordinated. Isn't it the case that the corporations hit were 
> hand picked by the hacker. Isn't it the case that the hackers 
> knew the owners of the wireless devices by name.
> Isn't it the case that more research and background work was 
> done before releasing this to the affected enterprises than 
> experts are reporting to the public at large.
>
> Corporations need to give all employees more advanced 
> training in patching their personal wireless devices, which 
> are being used over the weekend, and require them to be 
> patched before the connect to corporate infrustructure on 
> Monday morning, or during the weekend for those corporate 
> users accessing the work place remotely from home.
>
> I think if the affected corporations don't learn from Zobtob 
> then the same will happen again. Its vital enterprises now 
> review policy in respect of this, as its becoming more common 
> place that hackers are hitching a ride on wireless devices 
> and hackers no longer need to worry about compromising 
> corporate security, as unsuspecting employees are only too 
> easy to target and infect, for the end game of allowing an 
> infected device beyond the production servers and straight 
> into the internal network of many of the big dot-com's.
>
> Its not completey clear who diabl0 is currently. Theres more 
> than one diabl0 out on the web. A query on Google brings up 
> indivduals posting on discussion forums, as well as a 
> defacement group named diabl0, who funnily have been more 
> than willing to submit their defacements to Zone-H.
>
> These guys have been around for a while and know what their 
> doing is the generally impression I get.
>
> I don't know if diabl0 was clever enough to research and 
> coordinate and target laptops to propogate the worm, but it 
> would be only too easy to do in the future if someone is 
> willing to put in enough preperation time into planning the 
> assault on known employees of an enterprise.
>
> I've been watching too many movies and using illegal 
> substances. Time for me to go now.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/