lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Jan 2004 09:26:16 -0500 From: Joe Stewart <jstewart@...hq.com> To: Papp Geza <pappgeza@...na.net>, Gadi Evron <ge@...tistical.reprehensible.net> Cc: Sylvain Robitaille <syl@...or.concordia.ca>, bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: News from Bagle worm As much as I hate to give this worm any more attention (as it is already way overblown as a threat) I feel the need to point out some inaccuracies here. Comments inline below. On Monday 26 January 2004 6:29 am, Papp Geza wrote: > The worm is launched, it copies itself into the Windows directory and > attempts to download and launch Mitglieder, a Trojan proxy server, on > the infected machine. This is wrong - Mitglieder is not downloaded. The subroutines which contact the remote "1.php" sites have no provisions to save and execute any code. They merely report the infected user's IP along with a psuedo-random UID. > This proxy server allows the 'master' to use > the infected machine as a platform to send more copies of the > malicious code. This is not an accurate description. Mitglieder acts as a spam proxy and also can activate an SMTP relay on port 25 if given the proper command. It also listens for additional code to be pushed to it in much the same way as Bagle. If the author of the worm chooses to push more Bagle emails the through the Mitglieder proxies, he/she must do it manually; there are no provisions written into Bagle to spread in this manner. > Currently, all links to Internet sources for > downloading Mitglieder are deleted. As I mentioned, it's not downloaded. It is uploaded to the infected user through port 6777. And just because you get a "404" response from a php script on a webserver doesn't mean that the notification engine has been shut down. > Thus, I-Worm.Bagle cannot use > this technology to increase propagation speed. Because it has no such ability. > The worm backdoor functionality opens port 6777 ready to > accept incoming connections from a remote user, giving unauthorized > access to an affected machine, however, this does not appear to > function properly. It functions perfectly, but it's not a command shell. It gives the author the ability to either upload and execute a file, or uninstall the worm. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists