[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] another new worm submission

To: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] another new worm submission
From: Jerry Heidtke <insecure@xxxxxxxxxxxxx>
Date: Fri, 04 Jun 2004 19:54:32 -0700

Paul Schmehl wrote:

--On Friday, June 04, 2004 03:55:05 PM -0500 insecure <insecure@xxxxxxxxxxxxx> wrote:
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is
not a worm, it's a trojan. Your systems are being remotely compromised,
possibly with an auto-rooter targeting the lsass vulnerability, which
instructs the compromised system to download, install, and run this
trojan. This trojan includes a keystroke logger, and additional
components that you seem to have missed. Assume that system and any web
site passwords have been compromised. Warn the users of these systems
that unless they change any financial site passwords they are likely to
be victims of theft.
How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445?
For someone who knows nothing about his network, you sure are willing to make a lot of assumptions. You admit you don't know how the systems were compromised and you don't know what compromised them, yet you castigate him for leaving port 445 open and not patching and you assume this happened *remotely*?

You've got more problems than new worms.

One of which is miserable comforters.
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

You're right, I made an assumption that the systems were being compromised remotely rather than being deliberately and maliciously hacked by insiders. Would this somehow be less of a problem? Having systems with routable addresses reachable through port 445 is the most likely avenue of compromise, if this is not the case then Josh would be well advised to determine exactly what is going on with his network.

He did say there were more than one infected system that were displaying symptoms of attack against lsass, and that he couldn't find AV definitions to pick it up, although it's been detectable as a variant for up to six weeks, and someone else posted detections by 8 different AV packages. I also stated that there are other components which he didn't find, which was another assumption but one which is proven true by a quick perusal of any AV vendors' write-up on this.

Since the malware he posted doesn't spread automatically and doesn't attack lsass, there is obviously something else going on, which was the point I was trying to make. Apparently I was too obtuse for some people. I think I suggested some avenues of investigation that may prove helpful to the OP. In what way were your comments helpful?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] another new worm submission
  - From: Ron DuFresne

References:
- [Full-Disclosure] another new worm submission
  - From: Perrymon, Josh L.
- Re: [Full-Disclosure] another new worm submission
  - From: insecure
- Re: [Full-Disclosure] another new worm submission
  - From: Paul Schmehl

Prev by Date: [Full-Disclosure] weather.com contact
Next by Date: Re: [Full-Disclosure] weather.com contact
Previous by thread: Re: [Full-Disclosure] another new worm submission
Next by thread: Re: [Full-Disclosure] another new worm submission
Index(es):
- Date
- Thread