Vulnerability Development mailing list archives
IRFTP possible woes
From: "J. Oquendo" <sil () politrix org>
Date: Thu, 2 Dec 2004 15:04:10 -0500 (EST)
Figured I would send this to the vuln-dev list after rambling on about it on a firewalls list, so apologies to those who see this as a cross-post dupe. [RECENTLY] I ran across what I believe is an irftp based worm. While cleaning two laptops one day (one connected to a secure VLAN the other not connected), I noticed the connected machine flash its irftp sensor and task manager showed it was running. Few seconds later the connected machine stopped beeping, the disconnected one started, and it too showed irftp sessions. After checking around the premises for infrared *anything*, I dug up all I could from both machines. The disconneted machine had already been cleaned, and the connected one was infected with all sorts of SDBOT worms, Spyware, *crapware*foo*. Figured I would send this to the vuln-dev list after rambling on about it on a firewalls list, so apologies to those who see this as a cross-post dupe. [RECENTLY] I ran across what I believe is an irftp based worm. While cleaning two laptops one day (one connected to a secure VLAN the other not connected), I noticed the connected machine flash its irftp sensor and task manager showed it was running. Few seconds later the connected machine stopped beeping, the disconnected one started, and it too showed irftp sessions. After checking around the premises for infrared *anything*, I dug up all I could from both machines. The disconneted machine had already been cleaned, and the connected one was infected with all sorts of SDBOT worms, Spyware, *crapware*foo*. Something to think about if you're sitting in the park one day disconneted from any network and someone's infected machine sends you via IRFTP some crap. irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me Where some at script would run something like: net user luzer something /ADD /FULLNAME:"Admin Account" /COMMENT:"Admin" /h I'm almost positive something like this is what happened. I believe its possible to have that machine run whatever you would want it to, and since IRFTP has no authentication (that I know of) what is needed to perform such nonsense. A machine name, share name, not that big of a deal. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory"
Current thread:
- IRFTP possible woes J. Oquendo (Dec 02)
- <Possible follow-ups>
- RE: IRFTP possible woes Brewis, Mark (Dec 03)