lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jkuperus at planet.nl (Jelmer)
Subject: irc.trojan.fgt - new variant.

Yes but like you said it uses an angelfire page, If you take it down the
virus is stopped
If it gets too succesfull bandwidth limits are exceeded. So it will never
widely spread that way
If someone where to include a webserver in the worm there's no single point
of failure




----- Original Message ----- 
From: "ge" <ge@...uxbox.org>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, November 07, 2003 10:04 PM
Subject: RE: [Full-Disclosure] irc.trojan.fgt - new variant.


>
> > I guess It's a matter of time before someone hacks in a http server
> and makes it send out links like
> > http://victim ip/britney.jpg
> > Luckily microsoft patches stuff within 2 days, balmer said so so it
> must be true ;)
>
> Since the trojan horse really was "britney.jpg", I hope I am not
> responding to a joke. :)
>
> They already did. Without a hack to it.
>
> It started on the 26th of last months.
>
> britney.jpg came out.
>
> To remind us all, that trojan hose used one of the latest IE
> vulnerabilities to overwrite wmplayer.exe with the trojan horse itself.
> After luring the user to a simple .jpeg, that was actually HTML. So that
> IE thought it got a 404 - file not found HTML response.
>
> Two days passed, and while we saw mimic, which used the same basic way
> to fool a user into clicking on a URL for a picture of a model
> celebrity, did not install any files on the PC, it just spammed itself,
> and DDoS'd Microsoft by multiple port 80 connections.
>
> Every-day since, one to three new trojan horses came out. Always the
> same drill: 1. An angelfire website (mainly),
> http://url/pic-big-name.jpg
>
> (I would like to use this opportunity to commend angelfire again on
> their amazingly fast and serious abuse-mail correspondence and good
> work.)
>
> 2. The trojans always spams the same way, using mIRC's DDE server, with
> "URL << wow !!" as the spam, or something very similar.
> 3. The different files are not clones of one another, although some are
> quite close to being clones, with minor changes to the file name, etc.
> 4. the trojans always installs itself by replacing wmplayer.exe. In
> later variations it copies itself to a few more locations.
>
> The basic parameters of these trojan horses are the same:
>
> They spam themselves, making sure others would click on that believable
> URL, without any weird ".bat" or ".pif" etc. after the ".jpg" in the
> file name, and then proceed to _seriously_ cripple, although not
> destroy, the user's machine.
>
> The latest "releases" of these trojans are NOT clones.
>
> I believed that the biggest issue with britney.jpg would be copy-cats,
> and that is what scared me.
> I was wrong.
>
> This mal-ware spreads at incredible speed online, infecting and
> destroying an incredible amount of computers (which is reasonable
> considering the amount of us who would click on a URL for a super-model
> picture........). and then when the URL dies, a new trojan (or two...
> even three) are released with the exact same modus operandi.
>
> The trojans have two objectives: one - multiply, and then destroy.
> Somewhat of a kamikaze suicide bomber. Lately the boundaries between
> "viruses" and other types of... "viruses" like trojan horses and worms
> are thinning beyond recognition. In my opinion in any case.
>
> The sites are usually exceeding their allowed bandwidth use of the day
> long before they are closed, which comes to show of the enormous
> "clicking" people do.
>
> It is my firm belief that all these trojan horses have a common author,
> and that he himself maintains his trojan's infectious state by just
> releasing more "new" trojan horses to the wild. All just as destructive.
>
> This is the most concentrated assault I have ever seen by a mal-ware
> WRITER, vs. just the mal-ware.
>
> Personally, I don't get it, but that's probably just me.
>
> I hope this information helps somebody out there, hopefully the FBI?
> This attack may be over - although we are not sure yet, but I doubt we
> heard the last of this guy.
>
>       Gadi Evron (i.e. ge),
>       ge@...uxbox.org.
>
> --------
> gevron@...vision.net.il -
> PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
> Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
>
> The Trojan Horses Research mailing list - http://ecompute.org/th-list
>
> My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ