NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2008-q4

Re: [Dailydave] Times up!

From: Dennis Rand (randcsis.dk)
Date: Fri Oct 24 2008 - 16:33:24 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe the reason for it not being reliable is that it was used in a targeted attack prior to MS detecting it :)

Just a small idea

Best Regards,
Dennis Rand
PGP ID: 0xD54EB59D
--
Malware/Security Researcher Combined Security and Integrated Services [CSIS]
Vestergade 14 | DK-8660 Skanderborg | www.csis.dk
CSIS: +45 88 13 60 30 | Mobile: +45 60 11 55 06

--
5581f85b25f0d80fa84c69e7ca24d983
44f5fbaec45b7707dccf139a8c065961
391d6e762516ee1db3137c4d82eca7fb
c67c348c37ea0d615bb88161cf3b3008
--

-----Oprindelig meddelelse-----
Fra: dailydave-bounceslists.immunitysec.com [mailto:dailydave-bounceslists.immunitysec.com] På vegne af Brandon Enright
Sendt: 24. oktober 2008 20:19
Til: Dave Aitel
Cc: dailydavelists.immunitysec.com
Emne: Re: [Dailydave] Times up!

* PGP Signed by an unknown key

On Fri, 24 Oct 2008 12:38:53 -0400 or thereabouts Dave Aitel
<daveimmunityinc.com> wrote:

>
> Is that exploit reliable? It doesn't look like it's using the reliable
> variant (according to our very brief RE efforts here - and by "our", I
> mean "Kostya's").

In my (also brief) testing, no, it isn't reliable.

>
> Why would someone find such a cool exploit and then not make it
> reliable? Does it even work on XP SP2/3?
>

I haven't been able to get it to go on SP2/3.

Here are a few other observations about the relative lack of
sophistication of the worm component:

* It appears to only scan the local segment
* It scans sequentially
* It scans with a 1 second delay between hosts
* Sometimes it scans a live host but for whatever reason does not
attempt to exploit
* When it does attempt to exploit a host, it follows up with a bunch of
HTTP to the C&C servers

I think the above shows a pattern of decisions by the author to *not* be
aggressive. I suspect the author was hoping to compromise just a
handful of machines and go unnoticed by the security community. As
currently written, this malware doesn't appear able to cause a mass
outbreak -- it's simply too slow and too unreliable.

Brandon

* Unknown Key
* 0x0B25F782(L)

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]