lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F99C54C.8000009@onryou.com>
From: lists at onryou.com (Cael Abal)
Subject: Trojan author revealed (was: Re: ProFTPD-1.2.9rc2
 remote root exploit)

> Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
> 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information
> security, at GOBBLES security. 
> 
> Let's examine the case at hand:
> 
> 1) Someone makes the effort of cutting up an existing public GOBBLES
> shellcode. An act that requires just as much effort as writing
> original opcode.
> 
> 2) This cutup version is used in a 'trojan' even my grandmother
> would be able to spot. (Obscure in-exploit overflows are way more
> effective folks, ask HD "I pioneered screensavers" Moore). 
> 
> 3) Some random hero pops up on the list pointing out that
> 'hey, this is GOBBLES shellcode *WINK*'
> 
> Now who, on God's green earth, would recognise shellcode from
> an obscure exploit that was published months ago. If they
> didn't have it fresh in memory? 
> 
> So I think it's rather obvious either zeroboy, or one of his
> friends is responsible for this trojan. And he has some sort of
> rancune towards GOBBLES. Either that or he
> has a serious hardon for memorising hex opcode buffers.

Hi, Mitch -- welcome to the Internet!  Here's a tool you might find
helpful, it's called a 'Search Engine'!  ;)

A quick google for a few bytes worth of shellcode returned a few pages
of jinglebellz.c related discussion.

http://www.jikos.cz/jikos/dev/shcode.asm for example.

C


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ