[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE269Ha1r1ptF0001aa5f@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: RPC DCOM footprints - Symantec sucks?
----- Original Message -----
From: "opticfiber" <opticfiber@...sight.net>
To: <incidents@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
Sent: Friday, August 08, 2003 12:15 PM
Subject: [Full-Disclosure] Re: Secure.dcom.exe
>I finally got a reply back from symantec regarding the file you posted to
the list,
>see below. Not the only change I made to the file was the extension from
EXE to TXT
> as to prevent accidental execution.
as a response to..
> I did a search for Optix Pro and turned out a site that develops the
> software. From what I can tell it's very similar to software based
> trojans like bo2k, netbus ect...A detailed explanation of the trojan can
> be found at this url
> http://www.esecurityplanet.com/alerts/article.php/2197521
this is not "detailed" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rather a joke, are there any real forensics people employed by any AV
vendors?
lol, looks like pada works REAL hard to by looking at
http://www.pandasoftware.com/virus_info/encyclopedia/extended.aspx?idvirus=39542&sel=EXTRA
( theres a file with optix package called "FirewallsAVS.txt" )
a brief review will show:
optix pro server is generaly 896k - ( 383k packed )
upx is the prefered method of packing and running
"upx -d suspectfile.exe" should unpack a server for
string analysis ( bintext by http://www.foundstone.com/ works great for
this )
some unpacked strings:
EES_Encrypt
( a "krew" packer )
CD tray is open!
Blue Screen Complete!
( funny, commands embeded to do this are.. "aux\aux\d.t" and
"con\con\d.t" )
Removing Enhanced Technology...Pls Wait...
s7 special
( start method )
as well as full FTP commands
Simply downloading the R.A.T and viewing the binaries, you should be able
to compare
the strings.
As a further note on "worms" and the RPC-DCOM threat:
utilising a program such as the type from the KaHT webdav auto-exploiter
would automate this,
looks like they already did it :
http://www.terra.es/personal7/atar2000/kaht2.txt
IMHO a worm is not needed by this exploit as its easy to scan,
hack ( dcom.exe ),
drop ( a real worm ( sdbot ring a bell? ))
when using a autohacker that could easily be set up on zombied (
compromized ) systems to
compromize, hack, drop with imunity.
usefull info:
http://www.giac.org/practical/GCIH/Paul_Mudgett_GCIH.pdf
hope this helps,
Donnie Werner
http://e2-labs.com
http://exploitlabs.com
this could have been more detailed but im too busy doing XSS ( *wink* )
Powered by blists - more mailing lists