[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”



Hi, interesting,
I am just thinking about the ytansfer protocol it may be using to spread
through many of the pcs... thousands there was at one stage, and now to see
that they are using FLASH/USB?SANDISK?Whatever-the-brand Flash disks, wich i
know can be very easily used to carry a nice healthy wormling across
thousands of pcs, within a day it would have the connected flash drives, and
then whenever someone unplugs one and plugs it into another there is a whole
new department sometimes owned, wich was not targetted originally, ie a kid
uses his usb disk then takes it to uni... this has bypassed many av before,
simply by encrypting things... i wont go into that part, but it can be sent
over in blowfish, and then decrypting and removal can be hard depending on
the variation... One can also target *exact* brand names... and then
performs attacks to exploit (sandisk is the main target)..
It is a VERY effective method to spread the actual worm... the removal could
be simply bad security techs, not able to remove service-bots wich, are far
harder nowdays to remove if built correctly, than ever before, or 2008 for
example.
YES there is plenty of code about the usb/thumbdrive ,usually it is attached
to some bot-.src.tar ... also remember that, these can also attack and own
phones/ipad/ipad2 and Iphone :)
There is also a variant wich can attack ext4 drive extensions, although it
was more of a failure than a success because of who was making it i guess.
Whats even more funny to me, i was discussing this with another friend of
mine maybe 6months ago, if another governemt was to own a rover... then send
back images and any commands given to it, to the people who want this for
theyre own fantasies, it is now seemingly came true..altho i wuld never had
guessed thru a silly exe and a usb stick.... although, i did not research
this topic much, i only react to where i saw the 'flaw' i think.. or one
flaw in it, ofcourse many of you probably have alredy thought this.. or
maybe not, just go take alook at some of the code thats around nowdays,
attached to very workable src code... this could simply be a very smart
encrypted exe, wich is like most exes, takes a little to find the algo and
decrypt ;p , i will watch the tghread for this to happen, or not?
If it is inside job, asin a tech working there, then surely we wont hear
much more about this ,apart from maybe when they remove it and take apart
whatever infected them..etcetc..
xd

On 11 October 2011 06:00, Hatta <tmdhat@xxxxxxxxx> wrote:

> “We think it’s benign. But we just don’t know.”
>
> LOL
>
> dude, that was funnier than any steve jobson's jokes so far...
>
>
>
> On Mon, Oct 10, 2011 at 8:51 AM, Christian Sciberras <uuf6429@xxxxxxxxx>
> wrote:
> > http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/
> > This is news to me.
> > Moreover, I'm a bit confused as to how they don't track how it's coming
> > back.
> > I mean, how is it possible that no one stepped in and analyzed how the
> virus
> > acts and where it came from?
> > It sounds fish if you ask me.
> > Chris.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> Hatta
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/