lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: joe at joesmith.homeip.net (joe smith)
Subject: Bobax and Kibuv

Ditto on Valdis comments except on the hookers part :)

Another problem with both Kibub and Bobax is that they both use random 
port to download the binary from an infected host.  I find it diffcult 
to write firewall rules for process that opens random ports ;)

Kibuv write up form Symantec:
"Create a hidden remote shell process that will listen on a random TCP 
port. (This will allow an attacker to issue remote commands on an 
infected computer.).  Use the shell on the remote computer to reconnect 
to the infected computer's FTP server.  Retrieve a copy of the worm and 
then execute it."

Bobax write up from Symantec:
"Sends shell code to the host on TCP port 445, attempting to exploit the 
Microsoft Windows LSASS Buffer Overrun Vulnerability (described in 
Microsoft Security Bulletin MS04-011 
<http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>) on 
Windows XP.  If it is successful, the code that is executed on the 
remote computer uses HTTP to force a connection back to the infected 
computer on a random port.  Downloads and executes the worm."


Valdis.Kletnieks@...edu wrote:

>On Mon, 24 May 2004 17:41:34 +0200, Tobias Weisserth <tobias@...sserth.de>  said:
>
>  
>
>>I can't understand why it seems so hard to catch samples of worms that
>>knock at my firewall 24/7.
>>
>>Just open the corresponding ports and forward them to a vulnerable
>>machine on a different subnet (DMZ) and let the worms infect a machine
>>you designated for this purpose.
>>    
>>
>
>The only tricky part is catching *only* a Bobax and Kibov.  I can guarantee
>that if you put the shields down low enough to catch something that beats on
>the LSASS, you'll catch something.  The question is whether you'll catch a
>Bobax before you have to stop and throw a Sasser or other malware off the
>system....
>
>It's kind of like trying to catch a chlamydia sample by banging hookers without
>a rubber - you'll probably catch it along with other stuff too....
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ