| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <402AD5ED.20024.27EA47F3@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: Re: DoomJuice.A, Mydoom.A source code
"Filipe A." <incognito@...ria.ath.cx> wrote:
> I've done that and after 12 hours I had about 27 files. 8 of them
> were unique both in size and content. ...
^^^^^^^^^^^^^^^^^^^^^^^^
Is that not tautological?
Or were you trying to say that none of these 8 are truncated copies of
longer files in the set?
> ... I've identified the one that drops
> the .tbz with source code ...
Doomjuice.A
> ... but that leaves me with another 7 different
> files. Question is, how many things are out there piggybacking on
> mydoom's backdoor? ...
Assuming none of these seven are truncated copies of Doomjuice, don't
forget there are a few copies of Mydoom.B out there looking for
Mydoom.A backdoors. These can be truncated too... Other things I've
seen being poked through Mydoom's backdoor include a couple of new
downloaders, a short PE (around 5KB) that _may_ be a simple reverse
shell and/or Mydoom process killer (i.e. some kind "strike back" --
I've not had time to analyse this one yet) and simply the five byte
command that instructs Mydoom's backdoor to "drop to a file and execute
the following data stream" (my guess here is that someone thinks it is
necessary to send this command to establish whether the port is
properly listening, so unnecessarily coded it into a scanner).
> ... And now the source code is public many more
> will emerge in the next few days...
Charming, eh??
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists