|
Vulnerability Development
mailing list archives
Re: Suspicious JOE.EXE
From: "Roy Wilson" <rwilson9 () twcny rr com>
Date: Sun, 05 Aug 2001 18:42:01 -0400
I've seen a lot here on it being an email attachment, I've
found such DDoS Zombie programs more likely to be executed on
workstations by auto-decryption of binary NewsGroup postings than any
other method. The .binaries channels are loaded with them in all kinds
of flavors and varieties, usually a 55k .exe, but I've seen .com and
some macro/script variants as well.
The newsgroup versions are usually a small exe which contacts a
server and downloads/installs the trojan in the background. Usually in
either \windows or \windows\system.
Almost all of them are kiddie modified versions of cBot, and
since "cBot" appears in 90% of the trojan exe's in clear text, it's not
a big deal to scan for and delete them. Although Symantec hasn't
seemed to realize that yet, quite a few of them waltz right past their
AV software. ZoneAlarm has yet to miss one that I've seen, either the
small preload or the full trojan.
Not much I can do with the nets I administer to prevent access
to the most offending groups (binaries.erotica.xyz), as the nets *need*
NG access and I haven't found a way to prevent access to any groups
other than the approved ones short of setting up a private news server.
Roy Wilson <Emperor_Wilson () email com> <WINS#6>
Numismatist? <www.winsociety.ws>
PGP Key available from certserver.pgp.com or pgpkeys.mit.edu
Caesar si viveret, ad remum dareris
 By Date 
By Thread
Current thread:
- Re: Suspicious JOe.exe, (continued)
|
Intro
