| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jan 2005 00:08:45 -0800 From: Steve Friedl <steve@...xwiz.net> To: bugtraq@...urityfocus.com Subject: Troj/Winser-A malware analysis Hello again, all, Several days ago, Lawrence Baldwin of myNetWatchman.com captured the WINS exploit Trojan that's running around the internet right now, and I've been digging in with some gusto. It's not really a worm, but it does have an "autohack" mode and a botnet capability, so it's something that probably deserves some attention. Sophos has called this "Troj/Winser-A", but I have not seen any other real analysis anywhere (including on the INCIDENTS list), so I'm posting my work here. The analysis, including the binaries themselves, are at: Analysis of the Troj/Winser-A Malware http://www.unixwiz.net/research/winser-a.html I am still pretty early in the process of the big Trojan - a colleague who knows a bit about "the dark side" of IRC doesn't recognize it - and anybody who wants my IDA Pro .idb files for analysis can have them for the asking. I'll update my page as I find more information. Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@...xwiz.net
Powered by blists - more mailing lists