|
Vulnerability Development
mailing list archives
Re: Suspicious joe.exe
From: Josh Smith <josh () viper falcon-networks com>
Date: Thu, 2 Aug 2001 02:22:21 -0400 (EDT)
About two weeks ago while investigating a user on a server
we administrate we came across someone's stash. Included in it was
tucanx.exe and kaiten.exe which are the same as the joe.exe you posted
except the ones we found joined #tucanx and #kaitex.
Along with that we found another program that is used to
scan subnets looking for IIS servers vulnerable to the .printer overflow.
After exploiting it the trojan tucanx.exe is uploaded to the server and
they connect to irc.icq.com and join a specified irc channel.
After a few days we were able to catch up to the only
ircop on irc.icq.com and he shutdown all the channels by making them
invite only, it was the best we could think to do.
The main purpose of these botnets seems to be to launch
distributed Denial of Service attacks. In addition, they can be used to
create chaos on IRC.
We sent the trojan and the scanner to EEYE.
Thanks,
Josh & lockdown
 By Date 
By Thread
Current thread:
|
Intro
