Vulnerability Development mailing list archives
Re: Self propogating virii and spam correlation
From: Rafael Anschau <rhanscha () terra com br>
Date: Thu, 07 Mar 2002 21:28:11 -0300
Right. What about the connections the infected machine makes to the sql server ? One person finding out the mysql ip address would inform all the major security lists about it. Then he would point it to the "authorities" (whatever that means). Then the hacker gets caught. THAT would take balls. Unless, of course, the server has been previously set up on a hacked machine. It reminds me of someone who attends by the nick of csh ;-) []'s Woody
Thats a possibility, but since most worms / virii are disected very quickly, with detailed descriptions of their inner workings outlined for anybody who cares to look a wary spammer would be hesitant to device a mechanism for shipping their bounty of addresses back to themselves for fear of discovery.What do you mean by VERY QUICKLY? I guess we just missed the point here. What Keith guessed is that a virii/worm like this would produce a huge list of valid email addresses within a few minutes (obviously less than an hour). So, the coder can easily hack some machine (ANY MACHINE), like a linux box on a cable modem, for example, set up a server (perhaps even a MySQL server) and tell his worm to dump the addresses over there. He can stay online for the next hour grabing the data or fetch it all some time later. My guesses is that the sysadm of the hacked box would take more time to find out his system have been compromised, and then it would be too late. ... It looks so easy that I will go deeper: if the coder doesn't want to increase the traffic on the hacked box, he can code his worm to send only a package saying "hi, I'm inffected". Then the coder can grab the IP address, connect to the virii (actually it would look more like a backdoor) and say: "send me my money". Regards, Felipe -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Felipe Franciosi paradoxo networking felipe () paradoxo org Brazil http://www.paradoxo.org Porto Alegre - RS Fone: (55)(51) 9806 7387 UIN - 33596050 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-- Rafael Anschau - Terra Networks Brasil Operacao Nacional - (51) 3284 4246
Current thread:
- Self propogating virii and spam correlation Keith T. Morgan (Mar 06)
- Re: Self propogating virii and spam correlation Rob Salmond (Mar 06)
- Re: Self propogating virii and spam correlation Felipe Franciosi (Mar 07)
- Re: Self propogating virii and spam correlation Rafael Anschau (Mar 08)
- Re: Self propogating virii and spam correlation Felipe Franciosi (Mar 07)
- Re: Self propogating virii and spam correlation Rob Salmond (Mar 06)