Re: botnet logs

[Valdis.Kletnieks () vt edu]

On Mon, 17 Nov 2008 10:15:06 EST, dxp said:

> Many trojans these days can easily bypass defautl firewall protection in
> XP Sp2.  If any of those include self replication with exploit against
> some vulnerability (ms08-067) then history will be repeated, to a
> certain extent.

Read carefully what I said - the trojan needs to have *already* gotten into the
box to turn off the firewall.  If you get a worm trying to exploit (for
example) ms08-067, and it tries to go scanning across a subnet to find
vulnerable boxes, it's simply not going to find a lot.  Yes, it will find a
*few* older boxes that still don't have a good firewall - but for *most* of
them, the firewall will stop things before the packet gets in far enough to
exploit ms08-067.

(Of course, if you found a really cool exploit against the firewall code itself,
that allowed you to abuse the firewall to run your code before it rejected
your packet, you'd be on to something big... :)

Now, using that botted box as a fast-flux exploit-on-demand server that's
pointed to by a malicious URL planted elsewhere - *THAT* will work just fine.

Attachment: _bin
Description: