Full Disclosure mailing list archives
RE: smarter dcom worm
From: "Marc Maiffret" <marc () eeye com>
Date: Tue, 12 Aug 2003 16:51:19 -0700
You are correct in that "this worm sucks" but I think you could more eloquently put it as "this is probably the biggest pile of shit glued together crap ass excuse for a worm" that I've ever seen. >:-] That is NOT to say it is not being affective and damaging though. It is definitely a bad one. I kind of think of this as the "half a worm" since the worm author[s] only wrote half the worm. The first part, straight rip off of xfocus (with offset mods) and second part really lame .exe which makes it easy for AV to detect and stop. A real worm writer wouldn't have used a exploit with static offsets that sometimes work, they would have kept everything in memory to screw over AV (for the most part), and tftping a file? wow hahah If some security companies would not have rushed out non-technical, substance lacking "analysis", in an effort to be "first" and name the worm then maybe the worm could have got a more fitting name like the "Craphole" or "HalfAssed" worm. As "Blaster" sounds too cool for such a pile o ish. The random IP comment in the beginning of your eMail... while I agree its spread method is not optimal, your wrong in your statement that its always random. It actually does use the "local subnet" 40% of the time... Also tftp/ftp etc... a decent worm would be direct from IP >to> IP, no retarded connect back to grab your payload stuff. That only makes more methods of easily filtering the worm. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: full-disclosure-admin () lists netsys com | [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Justin Shin | Sent: Tuesday, August 12, 2003 3:32 PM | To: Full-Disclosure () Lists Netsys Com | Subject: [Full-disclosure] smarter dcom worm | | | As many people have said, this worm sucks. First of all, look at | the host discovery mechanism. Random IP's are sooooo outdated. A | better idea? Start with: | | 1. Subnet (192.168.x.x) | 2. WAN Address [for nat's] (24.31.34.x) | 3. Incremental WAN (24.31.x.x) | | Obviously not a new idea but also not a bad one. I am sure that | your average college-level math professor could simplify the host | discovery process. | | tftp: slow, old, but easy to use. probably straight up ftp would | be a better dropping protocol, no? | | registry/run is the oldest known startup method. try actually | using MULTIPLE startups, like Registry RunServices, RunOnce, | RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, | WINITIT.INI, CONFIG.SYS ... etc. | | once installed, the program should spawn copies of itself, using | startup methods, hidden files, fake system exes, etc. it should | block out filenames of patches, windowsupdate stuff, fixes, to | stop newbies from fixing it. | | the worm should also have a more interesting payload -- such as | lookin at inetpub and htdocs, etc. | | note -- im not trying to encourage this stuff, i am just pointing | out some key flaws in this worm. the next one may have all of | these features and much more, because I am not a very creative guy. | | -- Justin | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: smarter dcom worm, (continued)
- RE: smarter dcom worm gml (Aug 13)
- Firewalls Geo. (Aug 13)
- Re: New msbalster? Jeremiah Cornelius (Aug 13)
- Re: Firewalls Ron DuFresne (Aug 13)
- Re: Firewalls Joey (Aug 13)
- Re: Firewalls CHeeKY (Aug 13)
- Re: Firewalls Nathan Seven (Aug 14)
- RE: smarter dcom worm Joey (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- Re: smarter dcom worm Jeremiah Cornelius (Aug 13)
- RE: smarter dcom worm gml (Aug 13)
- Re: smarter dcom worm Gabe Arnold (Aug 13)