OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: cuebot-d infection method

From: Simon Borduas (sborduashypertec.ca)
Date: Mon Aug 29 2005 - 13:11:13 CDT


Right on Matt.

This new breed of malware is all about patch management.

Simon

On 26 Aug 2005 at 16:20, matt wrote:

> Jeff Bryner wrote:
>
> >I've seen a couple cuebot-d infections over the last couple days and am
> >trying to track down the source of them. Has anyone seen enough of this
> >to know the universe of ways the pc gets initially infected?
> >
> >The pcs that have gotten infected have mcafee running on them which
> >incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is
> >requested. It didn't seem to pick it up *until* a scan was requested.
> >
> >The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
> >fits the scenario, but it doesn't say exactly what the initial
> >infection vector is.
> >
> >Thanks for any help.
> >
> >Jeff
> >CISSP, GCIH, GCFA
> >
> >
> Sdbot has many infection vectors and is easy to modify. Usually as soon
> as a new MS bug is discovered somebody mods it into sdbot or one of these
> variants. I have seen an sdbot using about 20 different infection
> methods from lsass, ntpass/share cracking to the new win2k bug.
>
> Regards
>
> Matt
> Learn Security Online, Inc.