Bind 8 Exploit - Trojan

[Matt Lewis <matt () NINJAS ORG>]

The Bind 8 Exploit sent to bugtraq users by "nobody () replay com" is a
Trojan, as I'm sure many have found out at this point.

It attacks dns1.nai.com, and I haven't researched it extensively yet,
wanted to get this out. There's quite possibly other things going on as
well, locally.

I straced it and got odd results, the last time I ran it, it didn't
launch the attack. Shellcode analyzation would be required here.

How did this get approved, did anyone test it or review it?

You can see the IP address for dns1.nai.com listed in the shellcode
included with the file. It forks off many copies of itself and violently
attacks NAI's nameserver.

I sent this out hastily, so forgive any mistakes made beyond the
original observation of the attack.

-Matt Lewis