lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000701c361c9$8f5be170$250a640a@navi>
From: gml at phrick.net (gml)
Subject: smarter dcom worm

Maybe even some polymorphic code and PE injection.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of SPAM
Sent: Wednesday, August 13, 2003 12:56 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] smarter dcom worm

imho netbios and tftp are good enough transport and better then ftp since
there would be much more overhead bandwidth with ftp but should it
propagates through emails too that'd be much better.. as most backbone and
isp gives high priority to emails... and yes i agree the payload should be
more intresting.. such as invecting files and such rather then doing a
DDOS...

just my $0.02

Ed

----- Original Message ----- 
From: "gml" <gml@...ick.net>
To: "'Justin Shin'" <zorkshin@...pabay.rr.com>;
"'Full-Disclosure@...ts.Netsys.Com'" <full-disclosure@...ts.netsys.com>
Sent: Wednesday, August 13, 2003 6:57 AM
Subject: RE: [Full-Disclosure] smarter dcom worm


> I agree with Justin.  You would think that by now someone would write a
> random address generator that would solve the obvious timing problems that
> Most worms seem to suffer from.  I was thinking more along the lines of
> Generating a random IP but on the first 3 octets and going through the
> Entire class C.  Also, why did this worm carry around a dummy tftp server?
> NetBIOS is available as a transport method natively in the target OS.
> Don't get me wrong NetBIOS isn't the most reliable of network file systems
> But it is certainly more lightweight to use this approach than an embedded
> tftp server.  I think it also solves that whole filtering "problem" to an
> extent.  I am also not trying to encourage, this worm was a serious pain
for
> me this week as I imagine it was for a lot of people.
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Justin Shin
> Sent: Tuesday, August 12, 2003 6:32 PM
> To: Full-Disclosure@...ts.Netsys.Com
> Subject: [Full-Disclosure] smarter dcom worm
>
> As many people have said, this worm sucks. First of all, look at the host
> discovery mechanism. Random IP's are sooooo outdated. A better idea? Start
> with:
>
> 1. Subnet (192.168.x.x)
> 2. WAN Address [for nat's] (24.31.34.x)
> 3. Incremental WAN (24.31.x.x)
>
> Obviously not a new idea but also not a bad one. I am sure that your
average
> college-level math professor could simplify the host discovery process.
>
> tftp: slow, old, but easy to use. probably straight up ftp would be a
better
> dropping protocol, no?
>
> registry/run is the oldest known startup method. try actually using
MULTIPLE
> startups, like Registry RunServices, RunOnce, RunServicesOnce,
AUTOEXEC.BAT,
> SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc.
>
> once installed, the program should spawn copies of itself, using startup
> methods, hidden files, fake system exes, etc. it should block out
filenames
> of patches, windowsupdate stuff, fixes, to stop newbies from fixing it.
>
> the worm should also have a more interesting payload -- such as lookin at
> inetpub and htdocs, etc.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ