mailing list archives
RE: Backdoor not recognized by Kaspersky
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 05 Mar 2004 02:46:24 +1300
"Larry Seltzer" <larry () larryseltzer com> wrote:
I'm really not clear how this could work on a DHCP client, which the
overwhelming majority of compromised systems must be. Please don't just
tell me it's magic and works.
Well, cable and DSL clients tend to get the same IPs over and over and
even if they don't between restarts, within a "session" (and these tend
to be "always on" devices, so a "session" can be days to weeks long)
they definitely tend to retain the same IP. Thus, setting yourself up
as a server tends to "work" -- spray out a bunch of IMs, or Emails that
look as if they are from the victim to everyone in the victim machine's
address book "Get this cool screensaver I made with my party photos.
It's on my personal web site <IP-based_URL>". Get one more victim
before the fist victim's ISP kills his account and you have a
successfully _maintaining_ spread mechanism...
And, of course, there is always the "high-rotation rate round-robin DNS
pointing to a port redirector", which we have already seen used to
obfuscate the "real" location of the spammer's web site. Sure, it
probably needs an army of several dozen to several hundred compromised
machines but we've seen it used successfully several times.
Oh, and even if a victim machine's IP is the not very stable because of
DHCP oddities, that often need not matter -- in the IM example, the
"bot" need only keep checking its IP before sending each message (or
batch) and again, the very low "useful" success rate means it need not
care if 50% (or probably even 90%) of its potential victims do not
actually see or otherwise have a chance to react to one of its messages
before its host IP changes...
And, of course, we are talking about machines where all bets are off
because the bad guys have already got some code to run, so they can
include address notifier code in their bots to "phone home" their
changing network addresses if they do suffer from such yet can still
viably perform their intended functions (a lot of IRC bot-net agents
already do this...).
Full-Disclosure - We believe in it.
RE: Backdoor not recognized by Kaspersky Thor Larholm (Mar 04)
RE: Backdoor not recognized by Kaspersky Schmehl, Paul L (Mar 04)
Re: Backdoor not recognized by Kaspersky orangganjil (Mar 04)
RE: Backdoor not recognized by Kaspersky Ian Latter (Mar 05)