Security Incidents mailing list archives
Re: cuebot-d infection method
From: "Simon Borduas" <sborduas () hypertec ca>
Date: Mon, 29 Aug 2005 14:11:13 -0400
Right on Matt. This new breed of malware is all about patch management. Simon On 26 Aug 2005 at 16:20, matt wrote:
Jeff Bryner wrote:I've seen a couple cuebot-d infections over the last couple days and am trying to track down the source of them. Has anyone seen enough of this to know the universe of ways the pc gets initially infected? The pcs that have gotten infected have mcafee running on them which incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is requested. It didn't seem to pick it up *until* a scan was requested. The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html fits the scenario, but it doesn't say exactly what the initial infection vector is. Thanks for any help. Jeff CISSP, GCIH, GCFASdbot has many infection vectors and is easy to modify. Usually as soon as a new MS bug is discovered somebody mods it into sdbot or one of these variants. I have seen an sdbot using about 20 different infection methods from lsass, ntpass/share cracking to the new win2k bug. Regards Matt Learn Security Online, Inc.
Current thread:
- RE: cuebot-d infection method, (continued)
- RE: cuebot-d infection method Jason Burton (Aug 25)
- Re: cuebot-d infection method Jayson Anderson (Aug 25)
- Re: cuebot-d infection method Harlan Carvey (Aug 26)
- Re: cuebot-d infection method Jeff Bryner (Aug 29)
- Re: cuebot-d infection method Harlan Carvey (Aug 29)
- Re: cuebot-d infection method Jayson Anderson (Aug 29)
- Re: cuebot-d infection method Jose Nazario (Aug 29)
- Re: cuebot-d infection method Jeff Bryner (Aug 25)
- Re: cuebot-d infection method Simon Borduas (Aug 29)