| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: matthew at textbox.net (Matt) Subject: is there a new virus? I don't use any AV software - I'm a Linux user. I was able to get the bot off another computer that was infected and check the configuration of the mirc.ini to get the update location (geocities). They have since moved the update.exe and I didn't think to keep a copy of it... =-/ -- Matt <matthew@...tbox.net> Textbox Networks On Thu, 2003-06-19 at 04:53, Nick FitzGerald wrote: > Hi Matt, > > > I have noticed an increase in irc bots using spreader methods, ... > > Yep. Self-spreading, rather than just having a few simple vuln > scanning options that could be started through the bot and results > retrived later, or more recently, by running a full-featured vuln > scanner standalone and reporting the results back, has become very > popular in the bot market this year... > > > ... I came > > across one recently that was bombing my IP over and over: > > > > Typical mIRC DDoS bot: > > dosusal.exe (mIRC executable) > > fasdal.exe > > index.html (for web stats) > > llpxy.exe > > markmewd.exe (hide startup) > > ox.ocx (main script file) > > proxy.exe (starts proxies) > > proxy.log > > quale.dll (edited moo.dll) > > sipal.exe > > smqdate.exe (hidewindow) > > sptr.exe > > sqlme.exe > > teaw.exe > > wins.ini (mIRC.ini) > > wire.exe > > After checking it out it seems to have syn attacks, starting a proxy > > server,e-mail spreading, sql spreading, iis spreading, netbios/local > > network spreading, icq messaging. > > Although I can't say I've seen that specific one, the pattern is > certainly very familiar. I presented a paper at AusCERT 2003 a month > or so back on an interesting side effect of this kind of thing -- > virus scanner developers are increasingly being sent "legitimate" > files that they cannot afford to add detection of because of false > positive detection issue The copies of mIRC, Serv-U FTPD and so on > commonly used in these bot network kits are (usually) perfectly > "straight" copies of legitimate versions of those programs. Further, > the configuration, script and batch files that install these programs > and shape them into bot net agents are highly variable and thus very > difficult (if not impossible) to detect generically or heuristically. > > Anyway, was the one you describe above detected by your preferred > virus scanner(s)? If not, please send the developers of the > scanner(s) copies of the files so they can add detection.
Powered by blists - more mailing lists