lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Backdoor.Sdbot.N Question

"James Patterson Wicks" <pwicks@...gen.com> wrote:

> Anyone know how Backdoor.Sdbot.N spreads?  ...

Sure.

It doesn't.

"Backdoor", if properly used in naming malware (with commercial AV 
vendors that is long odds, but let's assume...) is a classification of 
a non-replicating and thus non-self-spreading form of malware.  Thus, 
the answer is, it doesn't spread by itself.

Of course, it can be pread by any means of software distribution you 
can imagine _other than_ those that fall under self-replication.

> ...  This morning we had several
> users pop up with this trojan (or a new variant).  ...

What precisely do you mean by this?

You go on to say that whatever it is they have is not detected by your 
virus scanner, so how do you know what these machines have?  (Let alone 
to such a fine degree of variant naming as ".N"??)

> ...  These users generated a
> ton of traffic until their machines were unplugged from the network. 
> There systems have all the markers for the Backdoor.Sdbot.N trojan
> (registry entries, etc), but was not picked up by the Norton virus scan. 
> In fact, even it you perform a manual scan after the trojan was
> discovered, it is still not detected in the scan.

Perhaps it is a repackaged version of that malware.

Perhaps it is an entiirely new malware that just happens to use the 
same settings?  (The fashion of using existing "legitimate" filenames, 
or close appoximations thereto, coupled with the rather limited 
imaginations of your typical skiddies means that originality in such 
matters is not common...)

> I would also like to know if this is also an indicator of not having the
> patch for the Blaster worm.

Well, as we really have no idea what you actually have, it would be a 
tad tricky to say anything much useful about that...  You have the 
machines though, so why don't you test them for the installation of the 
patch.

As to the "big picture" of your question -- these machines could have 
almost anything distributed almost any way.  The last few days exploits 
of the "Object Data Tag" vulnerability of MS03-032 have been popular 
for "distributing" all manner of scumware, so maybe they got smacked 
with one of those?  Or maybe with any of dozens of other things.

Have you sent the suspect file(s) from these machines to a couple of 
malware analysis labs?  To save you looking them up, here are the 
suspicious file submission addresses of the better known AV developers:

   Command Software             <virus@...mandcom.com>
   Computer Associates (US)     <virus@...com>
   Computer Associates (Vet/EZ) <ipevirus@....com.au>
   DialogueScience (Dr. Web)    <Antivir@...ls.ru>
   Eset (NOD32)                 <sample@...32.com>
   F-Secure Corp.               <samples@...ecure.com>
   Frisk Software (F-PROT)      <viruslab@...rot.com>
   Grisoft (AVG)                <virus@...soft.cz>
   H+BEDV (AntiVir):            <virus@...ivir.de>
   Kaspersky Labs               <newvirus@...persky.com>
   Network Associates (McAfee)  <virus_research@....com>
   Norman (NVC)                 <analysis@...man.no>
   Sophos Plc.                  <support@...hos.com>
   Symantec (Norton)            <avsubmit@...antec.com>
   Trend Micro (PC-cillin)      <virus_doctor@...ndmicro.com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ