Security Incidents mailing list archives
Re: unknown trojan (attached) (fwd)
From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Mon, 12 Jun 2000 11:18:18 -0700
In any case, it looks like 1. it connects to 208.139.192.34 on port 23911 to register itself. 2. binds to udp port 52901. 3. changes argv to be identd and fork/exec's to change process name 4. functions on the client: time stats reps size port igmp udp all icmp stream update ping halt-xt gotrcp The binary sent was not striped, so functionality should be obvious with gdb. my $0.02 cheers, david On Sun, 11 Jun 2000, Jeremy L. Gaddis wrote:
All right, I'm wondering why you, or others, feel that adding a password to a zipped file is useful. I would have liked to take a quick look at it, but I do not look at that sort of thing on a windows machineThere are several hundred users on this list. Many of them are subscribed at work, where incoming e-mail passes through virus scanners. Most virus scanners are smart enough to decompress zip files and scan their contents. If a virus *is* encountered, the message is usually just discarded. This wouldn't do me any good if a virus scanner found out what it was, but just discarded it.Please, either take the password off the file at your site, or help me to understand why you feel that adding a password is useful. Yes, there are ways around it (for me), but you are asking for help or advice. Adding a password (that you announced to the list, anyway) does not make zip in any of its incarnations more secure. Use pgp for that.I wasn't trying to "secure" the file, just allow it to pass through virus scanners. The file is also available gzip'd, at: http://www.blueriver.net/~jlgaddis/trojan.exe.gz. -jg -- Jeremy L. Gaddis <jlgaddis () blueriver net>
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."
Current thread:
- Re: unknown trojan (attached) (fwd) David Brumley (Jun 12)