Full Disclosure mailing list archives

Re: Exploiting a Worm

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 14 Sep 2005 10:54:47 +1200

Ian Gizak wrote:

I'm pentesting a client's network and I have found a Windows NT4 machine 
with ports 620 and 621 TCP ports open.

When I netcat this port, it returns garbage binary strings. When I connect 
to port 113 (auth), it replies with random USERIDs.

According to what I have found, this behaviour would mean the presence of 
the Agobot worm.


That is too limited a set of observations to draw that conclusion for 
sure.  After all, the source of various variants of various forks of 
most of the vaguely "popular" bots is available (which is largely why 
those bots are "popular"), so could easily have been partially copied 
in making a "new" bot (and we see a lot of evidence suggesting that 
this happens often).  Likewise, some "key features" of any given 
mainstream bot are equally likely to have been derived from other, pre-
existing "publicly" available code...

A full TCP scan revealed the following result:

<<snip>>

I have checked the open ports and no-one seems to be the worm ftp server or 
something useful related to the worm. Some ports allow input but don't reply 
anything...

Does anyone knows a way to exploit this worm to get access to the system?


Well, that will depend on precisely what variant of what code you have 
listening on those ports, and even on what compiler and options the 
binary was built with AND the precise CPU architecture, OS and 
configuration options the code is running on.

Of course, if you can get a sample of the binary off the machine, you 
can reverse it and work out those answers for yourself, but I doubt 
anyone here can divine them for you, from this distance...

...

I take it the VNC ports didn't prove useful?  VNC is often installed by 
malware, with trivial ("qwerty", "1234", "admin", "root", etc, even 
null) access passwords...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Exploiting a Worm Ian Gizak (Sep 13)
- Re: Exploiting a Worm Nick FitzGerald (Sep 13)
- Re: Exploiting a Worm Paul Farrow (Sep 13)
  - Re: Exploiting a Worm Valdis . Kletnieks (Sep 13)
  - RE: Exploiting a Worm Lyal Collins (Sep 13)
- Re: Exploiting a Worm Ivan . (Sep 13)
- Re: Exploiting a Worm Frank Knobbe (Sep 14)
- <Possible follow-ups>
- Exploiting a Worm Ian Gizak (Sep 13)