[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Bobax and Kibuv

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Bobax and Kibuv
From: joe smith <joe@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 24 Jan 2004 13:40:19 -0600

Ditto on Valdis comments except on the hookers part :)

Another problem with both Kibub and Bobax is that they both use random port to download the binary from an infected host. I find it diffcult to write firewall rules for process that opens random ports ;)

Kibuv write up form Symantec: "Create a hidden remote shell process that will listen on a random TCP port. (This will allow an attacker to issue remote commands on an infected computer.). Use the shell on the remote computer to reconnect to the infected computer's FTP server. Retrieve a copy of the worm and then execute it."

Bobax write up from Symantec: "Sends shell code to the host on TCP port 445, attempting to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011 <http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>) on Windows XP. If it is successful, the code that is executed on the remote computer uses HTTP to force a connection back to the infected computer on a random port. Downloads and executes the worm."

Valdis.Kletnieks@xxxxxx wrote:

On Mon, 24 May 2004 17:41:34 +0200, Tobias Weisserth <tobias@xxxxxxxxxxxx> said:
I can't understand why it seems so hard to catch samples of worms that
knock at my firewall 24/7.
Just open the corresponding ports and forward them to a vulnerable machine on a different subnet (DMZ) and let the worms infect a machine you designated for this purpose.
The only tricky part is catching *only* a Bobax and Kibov.  I can guarantee
that if you put the shields down low enough to catch something that beats on
the LSASS, you'll catch something.  The question is whether you'll catch a
Bobax before you have to stop and throw a Sasser or other malware off the
system....
It's kind of like trying to catch a chlamydia sample by banging hookers without
a rubber - you'll probably catch it along with other stuff too....


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Bobax and Kibuv
  - From: joe smith
- Re: [Full-Disclosure] Bobax and Kibuv
  - From: Tobias Weisserth
- Re: [Full-Disclosure] Bobax and Kibuv
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-Disclosure] Bobax and Kibuv
Next by Date: [Full-Disclosure] DoS in Vocaltec VoIP gateway in ASN.1/H.323/H.225 stack
Previous by thread: Re: [Full-Disclosure] Bobax and Kibuv
Next by thread: [Full-Disclosure] SSH URI handler remote arbitrary code execution
Index(es):
- Date
- Thread