Security Incidents mailing list archives
RE: Malware/trojan attacks
From: lucretias <lucretias () shaw ca>
Date: Thu, 26 Oct 2006 18:21:39 -0600
Harlan
Just out of curiosity, what are you seeing that leads you to say this? I'm not sure that I see anything in Richard's original email that suggests a rootkit at this point.
I have seen broken or failed attempts that resemble this. Not identical or using the same IP's, but using a trojan to infect, then quickly get the backdoors in place, but they don't work or may not work. I don't know if it is part of a rootkit, or other malware, it simply reminded me of this event so I thought I'd mention it.
You should determine (if possible) what rootkit has infected the machine. It sounds like a new variant or perhaps a new tool altogether.Again, what leads you to think this, if you don't mind me asking?
What leads me to ask to check for rootkits? Well there is a variety of software available that can do this. Why not? Maybe something (else) suspicious will pop up. I wasn't trying to be conclusive, just making a suggestion. Sorry if anyone misunderstood as a result.
I would suggest wiping the box and rebuilding it if you cannot determine exactly what is the culprit or any way to clean it.Hhhmmm...if it is a rootkit, then perhaps wiping/reinstalling may be the way to go, but I'd suggest further investigation and a root cause analysis first. Even if Richard were to find out what the malware is (looks like an IRCbot at this point), without a root cause analysis (and subsequent actions as a result), the system will likely be reinfected all over again.
I'd agree. Further analysis is warranted. But if it was a simple trojan a detection and clean would solve the problem. Since there appears to be some unknown variables still suspect, I'd look at it like a rootkit, if it turns into a simple spam or ddos tool then so be it. If it's a bot, then that is like many, many different malwares...what the bot does is certainly more important. Cheers, James Friesen, CIO Lucretia Enterprises Our World Is Here info at lucretia dot ca http://lucretia.ca ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Malware/trojan attacks Goetz, Richard (Oct 24)
- RE: Malware/trojan attacks lucretias (Oct 26)
- RE: Malware/trojan attacks Harlan Carvey (Oct 26)
- RE: Malware/trojan attacks lucretias (Oct 26)
- RE: Malware/trojan attacks Harlan Carvey (Oct 26)
- <Possible follow-ups>
- Re: Malware/trojan attacks krokofish (Oct 25)
- RE: Malware/trojan attacks lucretias (Oct 26)