lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 25 Sep 2003 16:40:48 -0400
From: Joe Stewart <jstewart@...hq.com>
To: bugtraq@...urityfocus.com
Subject: Re: Ruh-Roh SOBIG.G?


On Thursday 25 September 2003 03:18 am, Dragos Ruiu wrote:
> Now I noted with concern this morning that I started getting more
> wicked screensavers. :-) Analysis indicates that this new nuisance of
> this the newly ressurected malware does not correspond with any of
> the earlier variants. (the files show the same variations in length
> as the older SOBIG.F) I did a little poking at it and it seems to be
> pretty similar to the old one. I can provide this to anyone who needs
> it but you should have a copy of it already. :-(

It's probably from someone with their system date set back before the 
Sobig.f cutoff. You can easily differentiate between Sobig versions by 
reading the PE timestamp field. Below you can find a short Perl script 
I wrote to automate the process of retrieving the PE timestamp from an 
executable. Not every compiler sets this field with the compile date, 
but the one the Sobig author uses does (VC++).

If your pif sample was not compiled on Sun Aug 17 12:54:53 2003 then you 
have a different variant.

-Joe


-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/


#!/usr/bin/perl

# read-pe-timestamp.pl 
# by Joe Stewart <jstewart@...hq.com>
# usage: ./read-pe-timestamp.pl <PE file>
# tested on Linux; Win32 users may need to add binmode()

use strict;

my $filename = $ARGV[0];
my $now = time;
my $old = 800000000;
die "Usage: $0 <PE file>\n" unless $filename;
open(IN, $filename) or die "Couldn't open $filename : $!\n";
for (0..255) {
        my $dword;
        read(IN, $dword, 4);
        next unless $dword eq "PE\x00\x00";
        read(IN, $dword, 4);
        read(IN, $dword, 4);
        my $t = unpack("N*", reverse($dword));
        my $time = localtime($t);
        print "$filename was compiled on $time\n";
        print "(Probably erroneous)\n" if ($t >= $now || $t <= $old);
        close IN;
        exit;
}
close IN;
print "Could not find PE header in $filename\.\n";

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ