| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F32B148.2020001@umn.edu> From: eckman at umn.edu (Brian Eckman) Subject: Red Bull Worm Bassett, Mark wrote: > What about what mobly posted earlier? > > <snip> > FYI: Symantec's analysis > http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cir > ebot.html > > -Dave > (snippage) Well, it technically isn't a worm. But don't take my word for it, as I am no expert. Symantec classifies it as a Trojan Horse, not a worm. On the KAV Web page (http://www.avp.ch/avpve/worms/win32/autorooter.stm), they state "Even though this file package does not contain any auto-replication funnctions (sic), we still consider it much closer to being a worm-type program rather than merely a backdoor or a hacktool. " OK, so I'll call it a worm for argument's sake. It restricts itself to roughly 5% of the possible IP space and only spreads via 445/tcp. Symantec's site is still saying 0-49 hosts infected in the first 4 days. I'd hardly say it's more effective than Code Red. Now, if someone takes it and turns it into an E-mail aware worm, and/or opens it's target IP range to the Internet at large, then it is a *different* worm (I'm still calling it a worm for argument's sake) and we're playing a whole different ballgame. I have IP addresses in the target range of this "worm". I'm seeing lots of scanning for 445/tcp, but not coming from other addresses in it's target range. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't."
Powered by blists - more mailing lists