lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4E95C7A1E07DF542A694DBE1158547AF0577FA@trinity.win2k.kerrysteele.com>
From: ksteele at securitypenetration.com (Kerry Steele)
Subject: smarter dcom worm

Why don't we go ahead and classify it as an F+.

We'll give Max Butler (or whoever the hell it was) a " + " for overall
effectiveness, but an F for the payload.

Cheers.

-----Original Message-----
From: Marc Maiffret [mailto:marc@...e.com] 
Sent: Tuesday, August 12, 2003 6:51 PM
To: Justin Shin; Full-Disclosure@...ts.Netsys.Com
Subject: RE: [Full-Disclosure] smarter dcom worm


You are correct in that "this worm sucks" but I think you could more
eloquently put it as "this is probably the biggest pile of shit glued
together crap ass excuse for a worm" that I've ever seen. >:-] That is
NOT to say it is not being affective and damaging though. It is
definitely a bad one.

I kind of think of this as the "half a worm" since the worm author[s]
only wrote half the worm. The first part, straight rip off of xfocus
(with offset
mods) and second part really lame .exe which makes it easy for AV to
detect and stop. A real worm writer wouldn't have used a exploit with
static offsets that sometimes work, they would have kept everything in
memory to screw over AV (for the most part), and tftping a file? wow
hahah

If some security companies would not have rushed out non-technical,
substance lacking "analysis", in an effort to be "first" and name the
worm then maybe the worm could have got a more fitting name like the
"Craphole" or "HalfAssed" worm. As "Blaster" sounds too cool for such a
pile o ish.

The random IP comment in the beginning of your eMail... while I agree
its spread method is not optimal, your wrong in your statement that its
always random. It actually does use the "local subnet" 40% of the
time...

Also tftp/ftp etc... a decent worm would be direct from IP >to> IP, no
retarded connect back to grab your payload stuff. That only makes more
methods of easily filtering the worm.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris -
Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and
unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin@...ts.netsys.com
| [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Justin 
| Shin
| Sent: Tuesday, August 12, 2003 3:32 PM
| To: Full-Disclosure@...ts.Netsys.Com
| Subject: [Full-Disclosure] smarter dcom worm
|
|
| As many people have said, this worm sucks. First of all, look at the 
| host discovery mechanism. Random IP's are sooooo outdated. A better 
| idea? Start with:
|
| 1. Subnet (192.168.x.x)
| 2. WAN Address [for nat's] (24.31.34.x)
| 3. Incremental WAN (24.31.x.x)
|
| Obviously not a new idea but also not a bad one. I am sure that your 
| average college-level math professor could simplify the host discovery

| process.
|
| tftp: slow, old, but easy to use. probably straight up ftp would be a 
| better dropping protocol, no?
|
| registry/run is the oldest known startup method. try actually using 
| MULTIPLE startups, like Registry RunServices, RunOnce, 
| RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, 
| WINITIT.INI, CONFIG.SYS ... etc.
|
| once installed, the program should spawn copies of itself, using 
| startup methods, hidden files, fake system exes, etc. it should block 
| out filenames of patches, windowsupdate stuff, fixes, to stop newbies 
| from fixing it.
|
| the worm should also have a more interesting payload -- such as lookin

| at inetpub and htdocs, etc.
|
| note -- im not trying to encourage this stuff, i am just pointing out 
| some key flaws in this worm. the next one may have all of these 
| features and much more, because I am not a very creative guy.
|
| -- Justin
|
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ