[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E71BE64C6ECD8449CD5A236F700FA96814546@odcexch.wei.owhc.net>
From: mbassett at omaha.com (Bassett, Mark)
Subject: FW: smarter dcom worm
-----Original Message-----
From: Bassett, Mark
Sent: Wednesday, August 13, 2003 1:56 PM
To: 'gml'
Subject: RE: [Full-Disclosure] smarter dcom worm
Using Netbios over the internet would not be a very reliable spreading
technique. It would work great for LAN infection. Besides someone
might actually notice a shared folder :P
-----Original Message-----
From: gml [mailto:gml@...ick.net]
Sent: Tuesday, August 12, 2003 6:58 PM
To: 'Justin Shin'; 'Full-Disclosure@...ts.Netsys.Com'
Subject: RE: [Full-Disclosure] smarter dcom worm
I agree with Justin. You would think that by now someone would write a
random address generator that would solve the obvious timing problems
that
Most worms seem to suffer from. I was thinking more along the lines of
Generating a random IP but on the first 3 octets and going through the
Entire class C. Also, why did this worm carry around a dummy tftp
server?
NetBIOS is available as a transport method natively in the target OS.
Don't get me wrong NetBIOS isn't the most reliable of network file
systems
But it is certainly more lightweight to use this approach than an
embedded
tftp server. I think it also solves that whole filtering "problem" to
an
extent. I am also not trying to encourage, this worm was a serious pain
for
me this week as I imagine it was for a lot of people.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Justin Shin
Sent: Tuesday, August 12, 2003 6:32 PM
To: Full-Disclosure@...ts.Netsys.Com
Subject: [Full-Disclosure] smarter dcom worm
As many people have said, this worm sucks. First of all, look at the
host
discovery mechanism. Random IP's are sooooo outdated. A better idea?
Start
with:
1. Subnet (192.168.x.x)
2. WAN Address [for nat's] (24.31.34.x)
3. Incremental WAN (24.31.x.x)
Obviously not a new idea but also not a bad one. I am sure that your
average
college-level math professor could simplify the host discovery process.
tftp: slow, old, but easy to use. probably straight up ftp would be a
better
dropping protocol, no?
registry/run is the oldest known startup method. try actually using
MULTIPLE
startups, like Registry RunServices, RunOnce, RunServicesOnce,
AUTOEXEC.BAT,
SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc.
once installed, the program should spawn copies of itself, using startup
methods, hidden files, fake system exes, etc. it should block out
filenames
of patches, windowsupdate stuff, fixes, to stop newbies from fixing it.
the worm should also have a more interesting payload -- such as lookin
at
inetpub and htdocs, etc.
note -- im not trying to encourage this stuff, i am just pointing out
some
key flaws in this worm. the next one may have all of these features and
much
more, because I am not a very creative guy.
-- Justin
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
************************************************************
Omaha World-Herald Company computer systems are for business use only.
This e-mail was scanned by MailSweeper
************************************************************
Powered by blists - more mailing lists