| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jstewart at lurhq.com (Joe Stewart) Subject: Analysis of a Spam Trojan On Thu, 25 Sep 2003 12:04:14 -0500, Brian Eckman wrote: > It is unknown how the audio.exe file got onto the computer hard drive > in the first place. It is almost guaranteed to have been via the MS03-032 IE object tag vulnerability. The trojan you found is a variant of the Autoproxy trojan, which has been known to use that infection vector on a large scale. Some AV companies detect it as Coreflood because it shares a lot of the same code, likely because it is by the same author. You are correct in your analysis that it is not a DDoS bot, but instead is a spam tool. Here is an analysis I did on a recent variant that uses a different master server and contacts cnet.com instead of microsoft.com: http://www.lurhq.com/autoproxy.html Here is another Snort signature you can use to detect when an infected user attempts to contact its controlling server: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan control connection"; content: "|0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 41 75 74 6f 70 72 6f 78 79 2f|"; classtype:trojan-activity; sid:1000028; rev:1;) It is interesting to note the connection between the DDoS trojan and the spam-proxy trojan here, in light of the recent DDoS attacks on spam blackhole lists. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/
Powered by blists - more mailing lists