IRFTP possible woes

["J. Oquendo" <sil () politrix org>]

Figured I would send this to the vuln-dev list after rambling on about it
on a firewalls list, so apologies to those who see this as a cross-post
dupe.

[RECENTLY] I ran across what I believe is an irftp based worm. While
cleaning two laptops one day (one connected to a secure VLAN the other not
connected), I noticed the connected machine flash its irftp sensor and
task manager showed it was running. Few seconds later the connected
machine stopped beeping, the disconnected one started, and it too showed
irftp sessions. After checking around the premises for infrared
*anything*, I dug up all I could from both machines. The disconneted
machine had already been cleaned, and the connected one was infected with
all sorts of SDBOT worms, Spyware, *crapware*foo*.

Figured I would send this to the vuln-dev list after rambling on about it
on a firewalls list, so apologies to those who see this as a cross-post
dupe.

[RECENTLY] I ran across what I believe is an irftp based worm. While
cleaning two laptops one day (one connected to a secure VLAN the other not
connected), I noticed the connected machine flash its irftp sensor and
task manager showed it was running. Few seconds later the connected
machine stopped beeping, the disconnected one started, and it too showed
irftp sessions. After checking around the premises for infrared
*anything*, I dug up all I could from both machines. The disconneted
machine had already been cleaned, and the connected one was infected with
all sorts of SDBOT worms, Spyware, *crapware*foo*.

Something to think about if you're sitting in the park one day disconneted
from any network and someone's infected machine sends you via IRFTP some
crap.

irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me

Where some at script would run something like:

net user luzer something /ADD /FULLNAME:"Admin Account" /COMMENT:"Admin" /h

I'm almost positive something like this is what happened. I believe its
possible to have that machine run whatever you would want it to, and since
IRFTP has no authentication (that I know of) what is needed to perform
such nonsense. A machine name, share name, not that big of a deal.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"