Dailydave mailing list archives
Re: Times up!
From: Dennis Rand <rand () csis dk>
Date: Fri, 24 Oct 2008 23:33:24 +0200
Maybe the reason for it not being reliable is that it was used in a targeted attack prior to MS detecting it :) Just a small idea Best Regards, Dennis Rand PGP ID: 0xD54EB59D -- Malware/Security Researcher @ Combined Security and Integrated Services [CSIS] Vestergade 14 | DK-8660 Skanderborg | www.csis.dk CSIS: +45 88 13 60 30 | Mobile: +45 60 11 55 06 -- 5581f85b25f0d80fa84c69e7ca24d983 44f5fbaec45b7707dccf139a8c065961 391d6e762516ee1db3137c4d82eca7fb c67c348c37ea0d615bb88161cf3b3008 -- -----Oprindelig meddelelse----- Fra: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] På vegne af Brandon Enright Sendt: 24. oktober 2008 20:19 Til: Dave Aitel Cc: dailydave () lists immunitysec com Emne: Re: [Dailydave] Times up! * PGP Signed by an unknown key On Fri, 24 Oct 2008 12:38:53 -0400 or thereabouts Dave Aitel <dave () immunityinc com> wrote:
Is that exploit reliable? It doesn't look like it's using the reliable variant (according to our very brief RE efforts here - and by "our", I mean "Kostya's").
In my (also brief) testing, no, it isn't reliable.
Why would someone find such a cool exploit and then not make it reliable? Does it even work on XP SP2/3?
I haven't been able to get it to go on SP2/3. Here are a few other observations about the relative lack of sophistication of the worm component: * It appears to only scan the local segment * It scans sequentially * It scans with a 1 second delay between hosts * Sometimes it scans a live host but for whatever reason does not attempt to exploit * When it does attempt to exploit a host, it follows up with a bunch of HTTP to the C&C servers I think the above shows a pattern of decisions by the author to *not* be aggressive. I suspect the author was hoping to compromise just a handful of machines and go unnoticed by the security community. As currently written, this malware doesn't appear able to cause a mass outbreak -- it's simply too slow and too unreliable. Brandon * Unknown Key * 0x0B25F782(L) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Times up! Dave Aitel (Oct 23)
- Re: Times up! Hybridus (Oct 23)
- Re: Times up! Fionnbharr (Oct 23)
- Re: Times up! Mike Johnson (Oct 24)
- Re: Times up! dennis (Oct 24)
- Re: Times up! dennis (Oct 24)
- Re: Times up! Dave Aitel (Oct 24)
- Re: Times up! Brandon Enright (Oct 24)
- Re: Times up! Dennis Rand (Oct 24)
- Re: Times up! Fionnbharr (Oct 23)
- Re: Times up! Hybridus (Oct 23)
- Re: Times up! dan (Oct 24)
- Re: Times up! Erik Fichtner (Oct 24)
- Re: Times up! Salvador III Manaois (Oct 24)