lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050107080845.GA21638@linux.unixwiz.net>
Date: Fri, 7 Jan 2005 00:08:45 -0800
From: Steve Friedl <steve@...xwiz.net>
To: bugtraq@...urityfocus.com
Subject: Troj/Winser-A malware analysis


Hello again, all,

Several days ago, Lawrence Baldwin of myNetWatchman.com captured the
WINS exploit Trojan that's running around the internet right now, and
I've been digging in with some gusto. It's not really a worm, but it
does have an "autohack" mode and a botnet capability, so it's something 
that probably deserves some attention.

Sophos has called this "Troj/Winser-A", but I have not seen any other
real analysis anywhere (including on the INCIDENTS list), so I'm posting
my work here. The analysis, including the binaries themselves, are at:

	Analysis of the Troj/Winser-A Malware
	http://www.unixwiz.net/research/winser-a.html

I am still pretty early in the process of the big Trojan - a colleague
who knows a bit about "the dark side" of IRC doesn't recognize it -
and anybody who wants my IDA Pro .idb files for analysis can have them
for the asking.

I'll update my page as I find more information.

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@...xwiz.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ