OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Internet Wide DOS Attack using IRC

Re: Internet Wide DOS Attack using IRC

Paralyse (adamb1flash.net)
Fri, 2 Oct 1998 18:42:13 -0500 

> >    We did find an entry in his registry with the following setting:
> >
> >    /microsoft/windowsexplorer/doc/find/spec/mru
> >    a) " "
> >    b) 5845
> >    c) nfo
> >    d) bo
> >    e) nfo.zip
> >    f) winrar
> >    g) msvbvm60.dll
> >    h) loadwc
> >    i) stargate
> >    j) area51
> >    mrulist) eadcbjihgf

Actually, this is the Most Recently Used files entry. A-J = the last
files to be searched for using Find File, or Opened, or Saved - and the
mrulist specifies the order in which they were used. This is how the
history box in Find File works, and others.

mIRC IRC Client 5.4 and above have the ability to create raw sockets -
you can use the IRC client to open port 25 and check your mail, for
instance, or to connect to any other port on a server, including port 80
- most likely this "trojan" is a line in a script that runs a timer
which connects to the web site, sends HTTP commands, then kills the
socket; every X number of seconds. I doubt this is sophisticated enough
to modify the registry or otherwise change system behaviour.

However, I'm not sure exactly what you could possibly do to prevent such
an attack from occurring.
--
 Paralyse -=(webmasterenforcers.net)=-
-=>-<=- Systems Technician, ICS Computers -=>-<=-
         if test ! "$clothed"="no"  then
touch woman | strip woman | make love | sleep; fi