lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200401260926.16694.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: News from Bagle worm

As much as I hate to give this worm any more attention (as it is already 
way overblown as a threat) I feel the need to point out some 
inaccuracies here. Comments inline below.

On Monday 26 January 2004 6:29 am, Papp Geza wrote:
> The worm is launched, it copies itself into the Windows directory and
> attempts to download and launch Mitglieder, a Trojan proxy server, on
> the infected machine. 

This is wrong - Mitglieder is not downloaded. The subroutines which 
contact the remote "1.php" sites have no provisions to save and execute 
any code. They merely report the infected user's IP along with a 
psuedo-random UID.


> This proxy server allows the 'master' to use 
> the infected machine as a platform to send more copies of the
> malicious code. 

This is not an accurate description. Mitglieder acts as a spam proxy and 
also can activate an SMTP relay on port 25 if given the proper command. 
It also listens for additional code to be pushed to it in much the same 
way as Bagle. If the author of the worm chooses to push more Bagle 
emails the through the Mitglieder proxies, he/she must do it manually; 
there are no provisions written into Bagle to spread in this manner.


> Currently, all links to Internet sources for 
> downloading Mitglieder are deleted. 

As I mentioned, it's not downloaded. It is uploaded to the infected user 
through port 6777. And just because you get a "404" response from a php 
script on a webserver doesn't mean that the notification engine has 
been shut down.


> Thus, I-Worm.Bagle cannot use 
> this technology to increase propagation speed. 

Because it has no such ability.


> The worm backdoor functionality opens port 6777 ready to 
> accept incoming connections from a remote user, giving unauthorized
> access to an affected machine, however, this does not appear to
> function properly.

It functions perfectly, but it's not a command shell. It gives the 
author the ability to either upload and execute a file, or uninstall 
the worm.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ