Honeypots mailing list archives
Re: botnet logs
From: Valdis.Kletnieks () vt edu
Date: Mon, 17 Nov 2008 12:48:53 -0500
On Mon, 17 Nov 2008 10:15:06 EST, dxp said:
Many trojans these days can easily bypass defautl firewall protection in XP Sp2. If any of those include self replication with exploit against some vulnerability (ms08-067) then history will be repeated, to a certain extent.
Read carefully what I said - the trojan needs to have *already* gotten into the box to turn off the firewall. If you get a worm trying to exploit (for example) ms08-067, and it tries to go scanning across a subnet to find vulnerable boxes, it's simply not going to find a lot. Yes, it will find a *few* older boxes that still don't have a good firewall - but for *most* of them, the firewall will stop things before the packet gets in far enough to exploit ms08-067. (Of course, if you found a really cool exploit against the firewall code itself, that allowed you to abuse the firewall to run your code before it rejected your packet, you'd be on to something big... :) Now, using that botted box as a fast-flux exploit-on-demand server that's pointed to by a malicious URL planted elsewhere - *THAT* will work just fine.
Attachment:
_bin
Description:
Current thread:
- botnet logs Nathan (Nov 15)
- Re: botnet logs Valdis . Kletnieks (Nov 16)
- Re: botnet logs Nathan (Nov 17)
- Message not available
- Re: botnet logs Valdis . Kletnieks (Nov 17)
- Re: botnet logs Valdis . Kletnieks (Nov 16)
- Re: botnet logs Gabriele Zanoni (Nov 17)