Re: Exploiting a Worm

[Craig Holmes <leusent () link-net org>]

I agree that this is probably an IRCBot worm/virus of some type, though not 
necessarily an agobot strain.

On Monday 12 September 2005 19:54, Ian Gizak wrote:
> Does anyone knows a way to exploit this worm to get access to the system?
My advice would be to try and download the virial binary from the port that 
you think is spitting it out. Set up a sand box and run the binary on that 
machine.

At that point you pretty much have two options. You could analyze the binary 
and look for weaknesses (buffer overflows) and back doors that could be used 
to access the system through the worm. The second option would be to sniff 
the irc traffic generated, find the controlling channel, steal the password 
from the handler (whoever is controlling these bots) and use the password to 
control the bot that is installed on the system you wish to penetrate.

I am not sure about the legality of option 1, but option 2 is almost certainly 
illegal. In either case you should try and report this botnet so that it is 
shut down.


Craig

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------