lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: Re: Re: DoomJuice.A, Mydoom.A source code

"Filipe A." <> wrote:

>  I've done that and after 12 hours I had about 27 files. 8 of them
> were unique both in size and content.  ...

Is that not tautological?

Or were you trying to say that none of these 8 are truncated copies of 
longer files in the set?

> ...  I've identified the one that drops
> the .tbz with source code ...


> ... but that leaves me with another 7 different
> files. Question is, how many things are out there piggybacking on
> mydoom's backdoor?  ...

Assuming none of these seven are truncated copies of Doomjuice, don't 
forget there are a few copies of Mydoom.B out there looking for 
Mydoom.A backdoors.  These can be truncated too...  Other things I've 
seen being poked through Mydoom's backdoor include a couple of new 
downloaders, a short PE (around 5KB) that _may_ be a simple reverse 
shell and/or Mydoom process killer (i.e. some kind "strike back" -- 
I've not had time to analyse this one yet) and simply the five byte 
command that instructs Mydoom's backdoor to "drop to a file and execute 
the following data stream"  (my guess here is that someone thinks it is 
necessary to send this command to establish whether the port is 
properly listening, so unnecessarily coded it into a scanner).

> ...  And now the source code is public many more
> will emerge in the next few days...

Charming, eh??

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists