[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: joe at joesmith.homeip.net (joe smith)
Subject: Bobax and Kibuv
Ditto on Valdis comments except on the hookers part :)
Another problem with both Kibub and Bobax is that they both use random
port to download the binary from an infected host. I find it diffcult
to write firewall rules for process that opens random ports ;)
Kibuv write up form Symantec:
"Create a hidden remote shell process that will listen on a random TCP
port. (This will allow an attacker to issue remote commands on an
infected computer.). Use the shell on the remote computer to reconnect
to the infected computer's FTP server. Retrieve a copy of the worm and
then execute it."
Bobax write up from Symantec:
"Sends shell code to the host on TCP port 445, attempting to exploit the
Microsoft Windows LSASS Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS04-011
<http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>) on
Windows XP. If it is successful, the code that is executed on the
remote computer uses HTTP to force a connection back to the infected
computer on a random port. Downloads and executes the worm."
Valdis.Kletnieks@...edu wrote:
>On Mon, 24 May 2004 17:41:34 +0200, Tobias Weisserth <tobias@...sserth.de> said:
>
>
>
>>I can't understand why it seems so hard to catch samples of worms that
>>knock at my firewall 24/7.
>>
>>Just open the corresponding ports and forward them to a vulnerable
>>machine on a different subnet (DMZ) and let the worms infect a machine
>>you designated for this purpose.
>>
>>
>
>The only tricky part is catching *only* a Bobax and Kibov. I can guarantee
>that if you put the shields down low enough to catch something that beats on
>the LSASS, you'll catch something. The question is whether you'll catch a
>Bobax before you have to stop and throw a Sasser or other malware off the
>system....
>
>It's kind of like trying to catch a chlamydia sample by banging hookers without
>a rubber - you'll probably catch it along with other stuff too....
>
>
>
Powered by blists - more mailing lists