lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: se_cur_ity at hotmail.com (morning_wood)
Subject: RPC DCOM footprints - Symantec sucks?

----- Original Message ----- 
From: "opticfiber" <opticfiber@...sight.net>
To: <incidents@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
Sent: Friday, August 08, 2003 12:15 PM
Subject: [Full-Disclosure] Re: Secure.dcom.exe
>I finally got a reply back from symantec regarding the file you posted to
the list,
>see below. Not the only change I made to the file was the extension from
EXE to TXT
> as to prevent accidental execution.

as a response to..

> I did a search for Optix Pro and turned out a site that develops the
> software. From what I can tell it's very similar to software based
> trojans like bo2k, netbus ect...A detailed explanation of the trojan can
> be found at this url
> http://www.esecurityplanet.com/alerts/article.php/2197521

this is not "detailed" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rather a joke, are there any real forensics people employed by any AV
vendors?
lol, looks like pada works REAL hard to by looking at
http://www.pandasoftware.com/virus_info/encyclopedia/extended.aspx?idvirus=39542&sel=EXTRA
( theres a file with optix package called "FirewallsAVS.txt" )


a brief review will show:

optix pro server is generaly 896k - ( 383k packed )

upx is the prefered method of packing and running
"upx -d suspectfile.exe" should unpack a server for
string analysis ( bintext by http://www.foundstone.com/ works great for
this )

some unpacked strings:

EES_Encrypt
( a "krew" packer )
CD tray is open!
Blue Screen Complete!
( funny, commands embeded to do this are.. "aux\aux\d.t" and
"con\con\d.t" )
Removing Enhanced Technology...Pls Wait...
s7 special
( start method )

as well as full FTP commands

Simply downloading the R.A.T and viewing the binaries, you should be able
to compare
the strings.

  As a further note on "worms" and the RPC-DCOM threat:
utilising a program such as the type from the KaHT webdav auto-exploiter
would automate this,
looks like they already did it :
http://www.terra.es/personal7/atar2000/kaht2.txt

IMHO a worm is not needed by this exploit as its easy to scan,
hack ( dcom.exe ),
drop ( a real worm (  sdbot ring a bell? ))
when using a autohacker that could easily be set up on zombied (
compromized ) systems to
compromize, hack, drop with imunity.

usefull info:
http://www.giac.org/practical/GCIH/Paul_Mudgett_GCIH.pdf


hope this helps,

Donnie Werner
http://e2-labs.com
http://exploitlabs.com

this could have been more detailed but im too busy doing XSS  ( *wink* )

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ