lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: anyone seen this worm/trojan  before?

After thinking about it and discussing with a friend-

It makes sense that it doesn't try to propagate until it connects to an IRC
server.
That way you don't have a lot of machines hitting the compromised IRC server
after it has been taken down.

I'm working on setting up IRCD on my BSD box in my VMWARE lab and seeing
what it does.

I will also send the fport info.

I *did notice the same ports open as the korgo worm.

It also sends from sequential source ports to the IRC compromised host.

JP

-----Original Message-----
From: Perrymon, Josh L. 
Sent: Thursday, June 03, 2004 2:41 PM
To: 'insecure'; Perrymon, Josh L.
Cc: full-disclosure@...sys.com
Subject: RE: [Full-Disclosure] anyone seen this worm/trojan before?


I was guessing about LSASS because that was the only patch not on the box
that was infected.
The user also had a pass with a couple #'s in it so I didn't think it would
be found in a password list.

After watching it in a while I *Never saw it try to propagate to another
machine. That's what was weird.
So how would be get it the first time? 
I had to infect him some way...  But there where no other traces of it on
the network...

If I have some time I'll post the FPort data and some clean packet captures.

JP



-----Original Message-----
From: insecure [mailto:insecure@...ritech.net]
Sent: Thursday, June 03, 2004 2:27 PM
To: Perrymon, Josh L.
Cc: full-disclosure@...sys.com
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?


Perrymon, Josh L. wrote:

>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised 
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D  8EF6 C0B2 DECF EC20 6021
>
>  
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. 
Other than that, they have no information besides that they first 
noticed it on 5/26/2004.

It may spread through lsass, but this type of worm is usually limited to 
spreading through network shares with weak password protection.

Jerry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ