lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A02353291@is6b>
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: anyone seen this worm/trojan  before?

I was guessing about LSASS because that was the only patch not on the box
that was infected.
The user also had a pass with a couple #'s in it so I didn't think it would
be found in a password list.

After watching it in a while I *Never saw it try to propagate to another
machine. That's what was weird.
So how would be get it the first time? 
I had to infect him some way...  But there where no other traces of it on
the network...

If I have some time I'll post the FPort data and some clean packet captures.

JP



-----Original Message-----
From: insecure [mailto:insecure@...ritech.net]
Sent: Thursday, June 03, 2004 2:27 PM
To: Perrymon, Josh L.
Cc: full-disclosure@...sys.com
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?


Perrymon, Josh L. wrote:

>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised 
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D  8EF6 C0B2 DECF EC20 6021
>
>  
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. 
Other than that, they have no information besides that they first 
noticed it on 5/26/2004.

It may spread through lsass, but this type of worm is usually limited to 
spreading through network shares with weak password protection.

Jerry


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ