RE: DCOM/RPC story (Analogy)

["Steven Fruchter" <steven_fruchter () hotmail com>]

Well harmless?  He added in a backdoor called Lithium, so that he can
remotely connect to each exploited machine, and had them contact his
website so he can keep track of who is infected, and control them
(DDoS).  So yes he did leave in the attack against MS update site but he
also added in his own little tricks which is what got him caught.

-Steven Fruchter

-----Original Message-----
From: ww () styx org [mailto:ww () styx org] 
Sent: Sunday, August 31, 2003 3:31 PM
To: Steven Fruchter
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] DCOM/RPC story (Analogy)


On Sun, Aug 31, 2003 at 12:19:35PM -0700, Steven Fruchter wrote:
> That is completely moronic to act as if he did not do anything but 
> just hex edit the code and change the name for example on the .exe .  
> He also like a moron had the infected drones contact his website 
> (which he is registered to) so that he can see who has been infected 
> to control them. This means that he had more than just wanting to 
> change the name of an .exe for example, it shows his intent.

I was not aware of this. Yes, it changes the scenario somewhat: it
mitigates the amount of "damage" of that could be caused by the worm if
he had just changed some text strings.

Consider: all drones controlled by a single entity or drones 
controlled by multiple uncoordinated entities. Which has the greatest
potential for, say, a coordinated DDOS attack?

Of course distrupting the worm's control mechanism probably wasn't his
intent. So maybe he's a bit misguided but mostly harmless.

> Regardless of what he did or didn't do, he will
> probably get the blame of the entire thing

Trial by media anyone?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html