Full Disclosure mailing list archives
Re: RPC DCOM footprints - Symantec sucks?
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sun, 10 Aug 2003 00:01:54 -0700
----- Original Message ----- From: "opticfiber" <opticfiber () topsight net> To: <incidents () securityfocus com>; <full-disclosure () lists netsys com> Sent: Friday, August 08, 2003 12:15 PM Subject: [Full-disclosure] Re: Secure.dcom.exe
I finally got a reply back from symantec regarding the file you posted to
the list,
see below. Not the only change I made to the file was the extension from
EXE to TXT
as to prevent accidental execution.
as a response to..
I did a search for Optix Pro and turned out a site that develops the software. From what I can tell it's very similar to software based trojans like bo2k, netbus ect...A detailed explanation of the trojan can be found at this url http://www.esecurityplanet.com/alerts/article.php/2197521
this is not "detailed" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ rather a joke, are there any real forensics people employed by any AV vendors? lol, looks like pada works REAL hard to by looking at http://www.pandasoftware.com/virus_info/encyclopedia/extended.aspx?idvirus=39542&sel=EXTRA ( theres a file with optix package called "FirewallsAVS.txt" ) a brief review will show: optix pro server is generaly 896k - ( 383k packed ) upx is the prefered method of packing and running "upx -d suspectfile.exe" should unpack a server for string analysis ( bintext by http://www.foundstone.com/ works great for this ) some unpacked strings: EES_Encrypt ( a "krew" packer ) CD tray is open! Blue Screen Complete! ( funny, commands embeded to do this are.. "aux\aux\d.t" and "con\con\d.t" ) Removing Enhanced Technology...Pls Wait... s7 special ( start method ) as well as full FTP commands Simply downloading the R.A.T and viewing the binaries, you should be able to compare the strings. As a further note on "worms" and the RPC-DCOM threat: utilising a program such as the type from the KaHT webdav auto-exploiter would automate this, looks like they already did it : http://www.terra.es/personal7/atar2000/kaht2.txt IMHO a worm is not needed by this exploit as its easy to scan, hack ( dcom.exe ), drop ( a real worm ( sdbot ring a bell? )) when using a autohacker that could easily be set up on zombied ( compromized ) systems to compromize, hack, drop with imunity. usefull info: http://www.giac.org/practical/GCIH/Paul_Mudgett_GCIH.pdf hope this helps, Donnie Werner http://e2-labs.com http://exploitlabs.com this could have been more detailed but im too busy doing XSS ( *wink* ) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Secure.dcom.exe opticfiber (Aug 08)
- Re: Secure.dcom.exe opticfiber (Aug 08)
- RE: Re: Secure.dcom.exe Wcc (Aug 08)
- Re: [normal] RE: Re: Secure.dcom.exe opticfiber (Aug 09)
- Re: RPC DCOM footprints - Symantec sucks? morning_wood (Aug 10)
- RE: Re: Secure.dcom.exe Wcc (Aug 08)
- Re: Secure.dcom.exe opticfiber (Aug 08)