|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up.
From: morning_wood (se_cur_ity
hotmail.com)
Date: Fri Aug 08 2003 - 19:38:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
any smart "wormer" or "trojaneer" will modify the server component by
editing the source or "hexing" the file, resulting in most common viri /
trojans to be rendered undetectible. The result is many common viri /
malware / trojans to continue unabated. ( even subseven can be hexed to
provide stealth / undetection ) a trojan that should be caught by any virus
scanners. I have a collection of remote tools and you would be very
supprised as to how many are not detected after simply editing the server
component. Not having a AV product detect a known agent is common, as AV
vendors cannot make provisions for every sleight code change. I took the
time to write a small article about trojan strings / detection at
http://areyoufearless.com/files/newsletters/issue1.txt Possibly some can
find it usefull in how strings are used in detection / evasion. ( hint:
most trojan / viri can be rendered undetectable by changing as few as one
word / string in the server component )
hope this helps...
Donnie Werner
http://exploitlabs.com
----- Original Message -----
From: "Miguel Ibarra" <lordmike_98hotmail.com>
To: "Levinson, Karl" <LevinsonKSTARS-SMI.com>; "'Drew Weaver'"
<dreworbityl.com>; <incidentssecurityfocus.com>
Sent: Friday, August 08, 2003 7:38 AM
Subject: Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it
up.
> I submitted the dcomx.exe file to symantec since my NAV with the lattest
> update did not detected the virus in such file, neither juh.exe, and this
is
> what I got:
>
> ************************
> We have analyzed your submission. The following is a report of our
> findings for each file you have submitted:
>
> filename: C:\dcomx.exe
> machine: MIKE
> result: This file is infected with Backdoor.IRC.Cirebot
> ******************************************************
> ----- Original Message -----
> From: "Levinson, Karl" <LevinsonKSTARS-SMI.com>
> To: "'Drew Weaver'" <dreworbityl.com>; <incidentssecurityfocus.com>
> Sent: Wednesday, August 06, 2003 8:26 AM
> Subject: RE: Dig in: autorooter, maybe that IRC one but SAV doesnt pick
it
> up.
>
>
> > In case it is helpful, note that the DCOMX.EXE file name resembles the
> name
> > of the fairly new Autorooter / Cirebot / Downloader-DM / "RPC Worm"
> > [F-secure nomenclature] RPC attack tool, but none of the files are
> detected
> > as such by either NAV or TrendMicro House Call with the latest updates
> > applied.
> >
> > The four files in the subdirectory contain strings and file names that
> lead
> > one to suspect they are part of Intel Landesk [PDS.EXE, ping discovery
> > service per google, and XFR.EXE, Intel file transfer utility, per
google].
> >
> >
> > -----Original Message-----
> > From: Drew Weaver [mailto:dreworbityl.com]
> > Sent: Tuesday, August 05, 2003 3:07 PM
> > To: incidentssecurityfocus.com
> > Subject: [despammed] Dig in: autorooter, maybe that IRC one but SAV
> > doesnt pick it up.
> >
> >
> > Dig in.
> >
> > http://www.soul-fu.com/drew.zip
> >
> > I found this on a Windows 2k SP4 machine without (without) the two most
> > recent and critically nessicary patches.
> >
> > Enjoy.
> >
> > -Drew
> >
> >
>
> -------------------------------------------------------------------------
-
> -
>
> -------------------------------------------------------------------------
-
> --
> >
> >
>
> -------------------------------------------------------------------------
--
> -------------------------------------------------------------------------
---
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]