Security Incidents mailing list archives

ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)

From: Joe Stewart <jstewart () lurhq com>
Date: Mon, 7 Apr 2003 17:54:54 -0400

There have been several posts over the past few months inquiring about http
requests with the fingerprint "GET /sumthin HTTP/1.0". One poster found source
code and posted it here:
http://www.securityfocus.com/archive/75/313283/2003-02-23/2003-03-01/2

I have however come across a completely different tool that uses the same
GET request. It may be a second version of the tool, but the package has 
some interesting properties, perhaps even a surprise for the script kiddies 
who are using it.  It comes packaged as a set of binaries, so I have 
disassembled it and have posted an analysis here:

http://www.lurhq.com/atd.htm

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


<b>
----------------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-incidents2
Download your free fully functional
trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
----------------------------------------------------------------------------
</b>

Current thread:

ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool) Joe Stewart (Apr 07)