Security Incidents mailing list archives

Re: SV: Q328691 ?

From: H C <keydet89 () yahoo com>
Date: Sat, 7 Sep 2002 04:44:02 -0700 (PDT)

I believe the following link might be of interest
and provide you with
further information about this malware.


Very interesting and detailed write up.  
One small suggestion, though, for completeness only. 
When dealing w/ binaries on Win32 systems, one may
very often find resource information still compiled
into the executable...product version information,
etc.  MS does this with most all of their EXE files
(can't say 100% as I haven't tested them all). 
However, when I analyzed the russiantopz bot, this is
one of the first things I did, and found that the bot
was mIRC 5.82, and that the program to hide the mIRC
client window from the desktop was "hidewndw.exe".

From the research I did to support my findings, this

seems to be a very popular combination.  

The bot I analyzed had been dropped on an IIS 5.0
server, and through testing, I was able to verify that
the final executable (ie, the bot itself) would have
only been running in the IUSR_* context...no Admin
passwords were guessed.  If the compressed package of
files had included any of the priv escalation EXEs
(the Masy worm included the DebPloit EXE in it's
package), things might have been worse.

I think that the linked articles/web sites have
pointed out a lot of very interesting info, and filled
in the gaps left by the MS "analysis".  In particular,
these things aren't so much insideous, as they are
successful due to laziness on the part of the admins. 
If these bits of malware really are as rampant as the
alert would have us believe, then perhaps it's not so
much a lack of security in MS products as it is in the
culture of the administrators.


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Q328691 ?, (continued)
- - - Re: Q328691 ? Nick FitzGerald (Sep 09)
  - Re: Q328691 ? Baribault, Gary (Sep 06)
  - Re: Q328691 ? sunzi (Sep 09)
- Re: Q328691 ? Joe Blatz (Sep 06)
  - Re: Q328691 ? Jon (Sep 09)
  - Re: Q328691 ? HggdH (Sep 09)
- Re: Q328691 ? Valdis . Kletnieks (Sep 06)
- RE: Q328691 ? Byrne, David (Sep 09)
- Re: Q328691 ? Security (Sep 09)
  - Re: Q328691 ? sunzi (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- Re: Q328691 ? Bernt Lervik (Sep 09)
  - RE: Q328691 ? Jason Coombs (Sep 09)
- Re: Q328691 ? Bronek Kozicki (Sep 09)
  - Re: Q328691 ? H C (Sep 09)
- Re: SV: Q328691 ? jennifer smith (Sep 09)
  - Re: SV: Q328691 ? H C (Sep 09)
- RE: Q328691 ? Byrne, David (Sep 10)
- Re: Q328691 ? Kyle Lai (Sep 11)