Re: Times up!

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 24 Oct 2008 12:38:53 -0400 or thereabouts Dave Aitel
<dave () immunityinc com> wrote:

> Is that exploit reliable? It doesn't look like it's using the reliable
> variant (according to our very brief RE efforts here - and by "our", I
> mean "Kostya's").

In my (also brief) testing, no, it isn't reliable.

> Why would someone find such a cool exploit and then not make it
> reliable? Does it even work on XP SP2/3?

I haven't been able to get it to go on SP2/3.

Here are a few other observations about the relative lack of
sophistication of the worm component:

* It appears to only scan the local segment
* It scans sequentially
* It scans with a 1 second delay between hosts
* Sometimes it scans a live host but for whatever reason does not
  attempt to exploit
* When it does attempt to exploit a host, it follows up with a bunch of
  HTTP to the C&C servers

I think the above shows a pattern of decisions by the author to *not* be
aggressive.  I suspect the author was hoping to compromise just a
handful of machines and go unnoticed by the security community.  As
currently written, this malware doesn't appear able to cause a mass
outbreak -- it's simply too slow and too unreliable.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkkCEX8ACgkQqaGPzAsl94LIHQCgxm9v0poMN2Bw2GpEwcqkAFNZ
7NcAoJ97pMkWJnkBi0PaxMUeR3bcR7bc
=YMuY
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave