Security Incidents mailing list archives
Re: SV: Q328691 ?
From: "jennifer smith" <aladin168 () hotmail com>
Date: Sun, 08 Sep 2002 22:48:38 -0400
Hi H C,I posted "follow-up on Microsoft Knowledge Base Article - Q328691 " this morning to mention about some things Microsoft has missed. They definitely missed the Netcat program, and the other *possible* Unix type of bot that requires Cygwin. My posting is at
http://groups.google.com/groups?q=Q328691&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209080706.7f395b0c%40posting.google.com&rnum=1I haven't dealt with any previous IRC/Flood virus, so I can't say much in that area. You definitely have done your analysis. I certainly like to learn more about what you have learned.
IRC was fun, until the hackers started using it as a tool. It's unfortunate, but I think we just have to deal with the fact. I am sure there will be another IRC type of virus because it's effective, and there are so many people on IRC...
Please let me know what you guys have found out there too besides this one. Keep in touch. /Kyle Kyle Lai, CISSP, CISA, MCSE aladin168 () hotmail com
From: H C <keydet89 () yahoo com>To: kruse () railroad dk, 'Bronek Kozicki' <brok () rubikon pl>, incidents () securityfocus comCC: aladin168 () hotmail com Subject: Re: SV: Q328691 ? Date: Sat, 7 Sep 2002 04:44:02 -0700 (PDT) > I believe the following link might be of interest > and provide you with > further information about this malware. Very interesting and detailed write up. One small suggestion, though, for completeness only. When dealing w/ binaries on Win32 systems, one may very often find resource information still compiled into the executable...product version information, etc. MS does this with most all of their EXE files (can't say 100% as I haven't tested them all). However, when I analyzed the russiantopz bot, this is one of the first things I did, and found that the bot was mIRC 5.82, and that the program to hide the mIRC client window from the desktop was "hidewndw.exe". From the research I did to support my findings, this seems to be a very popular combination. The bot I analyzed had been dropped on an IIS 5.0 server, and through testing, I was able to verify that the final executable (ie, the bot itself) would have only been running in the IUSR_* context...no Admin passwords were guessed. If the compressed package of files had included any of the priv escalation EXEs (the Masy worm included the DebPloit EXE in it's package), things might have been worse. I think that the linked articles/web sites have pointed out a lot of very interesting info, and filled in the gaps left by the MS "analysis". In particular, these things aren't so much insideous, as they are successful due to laziness on the part of the admins. If these bits of malware really are as rampant as the alert would have us believe, then perhaps it's not so much a lack of security in MS products as it is in the culture of the administrators. __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
_________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Q328691 ?, (continued)
- Re: Q328691 ? HggdH (Sep 09)
- Re: Q328691 ? Valdis . Kletnieks (Sep 06)
- RE: Q328691 ? Byrne, David (Sep 09)
- Re: Q328691 ? Security (Sep 09)
- Re: Q328691 ? sunzi (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- Re: Q328691 ? Bernt Lervik (Sep 09)
- RE: Q328691 ? Jason Coombs (Sep 09)
- Re: Q328691 ? Bronek Kozicki (Sep 09)
- Re: Q328691 ? H C (Sep 09)
- Re: SV: Q328691 ? jennifer smith (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- RE: Q328691 ? Byrne, David (Sep 10)
- Re: Q328691 ? Kyle Lai (Sep 11)