lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Aug 17 01:23:14 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: pnp worm unknown variant - post infection
	actions

Jason Coombs wrote:

> Not that this hasn't already been happening as a result of porn-related 
> spyware and adware, but is this the first porn worm?

I've not seen it, so this is based on Morning Wood's description...

It is not a "porn worm".  It is a worm with a download and execute 
payload of a (probably) fixed ("hard-coded") URL.

The code at that URL _CURRENTLY_ is another piece of malware that 
lowers what are laughingly known as IE's security settings then causes 
IE to visit a web site with active content designed to install some 
adware/spyware/whatever (again, not analysed by me).  That install will 
occur silently (I presume) due to the removal of the security settings 
that would otherwise prevent, or at least alert, the user to the 
action.

_THAT_ software (adware/spyware/whatever) may do whatever, but that is 
incidental to the actions of the worm, as the worm can continue 
completely "as is" regardless of what code is at the URL used in the 
intermediate, download and execute, step.

Oh, and it's far from the first "wormy bot" (or similar) to further 
compromise the victim machine by installing adware, spyware, warez 
server, etc, etc.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ