Full Disclosure mailing list archives
RE: Backdoor not recognized by Kaspersky
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 05 Mar 2004 02:46:24 +1300
"Larry Seltzer" <larry () larryseltzer com> wrote:
I'm really not clear how this could work on a DHCP client, which the overwhelming majority of compromised systems must be. Please don't just tell me it's magic and works.
Well, cable and DSL clients tend to get the same IPs over and over and even if they don't between restarts, within a "session" (and these tend to be "always on" devices, so a "session" can be days to weeks long) they definitely tend to retain the same IP. Thus, setting yourself up as a server tends to "work" -- spray out a bunch of IMs, or Emails that look as if they are from the victim to everyone in the victim machine's address book "Get this cool screensaver I made with my party photos. It's on my personal web site <IP-based_URL>". Get one more victim before the fist victim's ISP kills his account and you have a successfully _maintaining_ spread mechanism... And, of course, there is always the "high-rotation rate round-robin DNS pointing to a port redirector", which we have already seen used to obfuscate the "real" location of the spammer's web site. Sure, it probably needs an army of several dozen to several hundred compromised machines but we've seen it used successfully several times. Oh, and even if a victim machine's IP is the not very stable because of DHCP oddities, that often need not matter -- in the IM example, the "bot" need only keep checking its IP before sending each message (or batch) and again, the very low "useful" success rate means it need not care if 50% (or probably even 90%) of its potential victims do not actually see or otherwise have a chance to react to one of its messages before its host IP changes... And, of course, we are talking about machines where all bets are off because the bad guys have already got some code to run, so they can include address notifier code in their bots to "phone home" their changing network addresses if they do suffer from such yet can still viably perform their intended functions (a lot of IRC bot-net agents already do this...). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Email legislation does not exist, (continued)
- RE: Email legislation does not exist Ron DuFresne (Mar 05)
- Re: Email legislation does not exist Oliver Schneider (Mar 04)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)
- RE: Backdoor not recognized by Kaspersky Schmehl, Paul L (Mar 03)
- RE: Re[2]: Backdoor not recognized by Kaspersky Glenn_Everhart (Mar 03)
- RE: Backdoor not recognized by Kaspersky Thor Larholm (Mar 03)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 04)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 04)
- ProFtp bufferoverflow. Frederic Charpentier (Mar 04)
- Re: ProFtp bufferoverflow. Andreas Gietl (Mar 04)
- RE: ProFtp bufferoverflow. Epic (Mar 04)
- Re: ProFtp bufferoverflow. Andreas Gietl (Mar 04)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- RE: Critical WFTPD buffer overflow vulnerability Geo. (Mar 04)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)