lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: mbassett at omaha.com (Bassett, Mark)
Subject: Red Bull Worm

What about what mobly posted earlier?

<snip>
FYI: Symantec's analysis
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cir
ebot.html

-Dave

>
> > puts these files in %systemdrive%
> > rpc.exe
> > rpctest.exe
> > tftpd.exe
> > worm.exe
> > lolx.exe
> >
> > also in %windir%\system32
> > lolx.exe
> > dcomx.exe
> >
> > rpc.exe and dcomx.exe appear in the running tasks.
> >
> >
> > I pulled samples of them and submitted to SARC.
> >
> >
> > -Dave
</snip>


-----Original Message-----
From: Brian Eckman [mailto:eckman@....edu] 
Sent: Thursday, August 07, 2003 1:02 PM
To: Joel R. Helgeson; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Red Bull Worm

My my, are we grumpy today :-)

You said that this "worm" that, as far as anyone can tell, exists solely

as a comment, is "much more effective than Code Red ever was". Pardon me

for pointing out your FUD.

A worm will likely be created. If written even fairly well, it should be

more "effective" than Code Red (whatever your definition of effective 
is). However, what was provided to the list wasn't of much use to 
anyone, so I was pointing out how premature it was to start labelling
it.

I'll resist the temptation of responding to your flames.

Brian

Joel R. Helgeson wrote:
> Ahem;
> 1) This is the list where exploits get posted. If/when a worm is
released,
> this is where you'll hear about it first. Its usually created by
someone who
> monitors the list. If early warnings are too much for you to handle,
unsub
> from the list and wait to hear about this stuff on CNN.
> 2) Code Red infected IIS servers, used those infected servers to
spread
> itself, and setup compromised machines to perform a massive DOS attack
> against the whitehouse.gov server at a predetermined date & time.
Pretty
> simple.
> 3) RPC/DCOM is running on every single Win2k, 2k3, XP & NT4 machine on
this
> side of the sun. No need to look for servers that are running IIS.  If
you
> were to compile the code, you'll see how devastatingly efficient this
code
> is at providing you root access to any box you aim this thing at.
> 4) Once the machine is exploited, the box will establish an outbound
> connection to an FTP server, or IRC server to await further
instructions.
> If you can't look at this fact alone and realize that this is a pretty
big
> f***ing hole, you need to get yerself a new line of work.
> 5) People think that filtering ports on the firewall will prevent the
bug
> from infecting them.  All you need to do is email it into someone and
have
> them double click. That virus would infect every server within the
> enterprise within seconds.  If you think "That'll never happen" then
just
> look at the message.zip virus that spreads. Every village has its
idiot.
> 6) EVEN IF the code hasn't been worm-ified yet, it is only a matter of
time.
> The exploit works, that much has been proven.
> 7) If you don't agree that this issue is MUCH LARGER than Code Red,
well...
> its time for a new job.
> 
> Regards,
> Joel
> ----- Original Message ----- 
> From: "Brian Eckman" <eckman@....edu>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Thursday, August 07, 2003 11:47 AM
> Subject: Re: [Full-Disclosure] Red Bull Worm
> 
> 
> 
>>Joel R. Helgeson wrote:
>>
>>>Lets see, the last big worm to exploit windows was named Code Red
after
>>
> the
> 
>>>Mountain Dew Code Red was brought to market.  Being that this worm is
>>
> much
> 
>>>more effective than Code Red ever was, I say worm should be named Red
>>
> Bull
> 
>>>as it is sure to exhibit much more energy than the Code Red worm.
>>>
>>
>>Pardon me if I am just plain ignorant, but where is this worm, and how
>>on earth is it "more effective than Code Red ever was" already if
nobody
>>is talking about it? The only evidence of a worm I have seen is one
>>person showing comments supposedly from source code of some program
>>calling itself a worm...
>>
>>Brian
>>
>>-- 
>>Brian Eckman
>>Security Analyst
>>OIT Security and Assurance
>>University of Minnesota
>>612-626-7737
>>
>>"There are 10 types of people in this world. Those who
>>understand binary and those who don't."
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
> 
> 
> 


-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


************************************************************
Omaha World-Herald Company computer systems are for business use only.
This e-mail was scanned by MailSweeper
************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ