Full Disclosure mailing list archives
Re: is there a new virus?
From: Matt <matthew () textbox net>
Date: 19 Jun 2003 07:12:19 -0400
I don't use any AV software - I'm a Linux user. I was able to get the bot off another computer that was infected and check the configuration of the mirc.ini to get the update location (geocities). They have since moved the update.exe and I didn't think to keep a copy of it... =-/ -- Matt <matthew () textbox net> Textbox Networks On Thu, 2003-06-19 at 04:53, Nick FitzGerald wrote:
Hi Matt,I have noticed an increase in irc bots using spreader methods, ...Yep. Self-spreading, rather than just having a few simple vuln scanning options that could be started through the bot and results retrived later, or more recently, by running a full-featured vuln scanner standalone and reporting the results back, has become very popular in the bot market this year...... I came across one recently that was bombing my IP over and over: Typical mIRC DDoS bot: dosusal.exe (mIRC executable) fasdal.exe index.html (for web stats) llpxy.exe markmewd.exe (hide startup) ox.ocx (main script file) proxy.exe (starts proxies) proxy.log quale.dll (edited moo.dll) sipal.exe smqdate.exe (hidewindow) sptr.exe sqlme.exe teaw.exe wins.ini (mIRC.ini) wire.exe After checking it out it seems to have syn attacks, starting a proxy server,e-mail spreading, sql spreading, iis spreading, netbios/local network spreading, icq messaging.Although I can't say I've seen that specific one, the pattern is certainly very familiar. I presented a paper at AusCERT 2003 a month or so back on an interesting side effect of this kind of thing -- virus scanner developers are increasingly being sent "legitimate" files that they cannot afford to add detection of because of false positive detection issue The copies of mIRC, Serv-U FTPD and so on commonly used in these bot network kits are (usually) perfectly "straight" copies of legitimate versions of those programs. Further, the configuration, script and batch files that install these programs and shape them into bot net agents are highly variable and thus very difficult (if not impossible) to detect generically or heuristically. Anyway, was the one you describe above detected by your preferred virus scanner(s)? If not, please send the developers of the scanner(s) copies of the files so they can add detection.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- is there a new virus? Philip Stortz (Jun 19)
- RE: is there a new virus? Benjamin Meade (Jun 19)
- Re: is there a new virus? Matt (Jun 19)
- Message not available
- Re: is there a new virus? Matt (Jun 19)
- <Possible follow-ups>
- Re: is there a new virus? Robert J. Liebsch (Jun 19)
- RE: is there a new virus? Schmehl, Paul L (Jun 19)
- Re: is there a new virus? martin f krafft (Jun 19)