Full Disclosure mailing list archives
Re: Backdoor.Sdbot.N Question
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 09 Sep 2003 15:12:32 +1200
"James Patterson Wicks" <pwicks () oxygen com> wrote:
Anyone know how Backdoor.Sdbot.N spreads? ...
Sure. It doesn't. "Backdoor", if properly used in naming malware (with commercial AV vendors that is long odds, but let's assume...) is a classification of a non-replicating and thus non-self-spreading form of malware. Thus, the answer is, it doesn't spread by itself. Of course, it can be pread by any means of software distribution you can imagine _other than_ those that fall under self-replication.
... This morning we had several users pop up with this trojan (or a new variant). ...
What precisely do you mean by this? You go on to say that whatever it is they have is not detected by your virus scanner, so how do you know what these machines have? (Let alone to such a fine degree of variant naming as ".N"??)
... These users generated a ton of traffic until their machines were unplugged from the network. There systems have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the Norton virus scan. In fact, even it you perform a manual scan after the trojan was discovered, it is still not detected in the scan.
Perhaps it is a repackaged version of that malware. Perhaps it is an entiirely new malware that just happens to use the same settings? (The fashion of using existing "legitimate" filenames, or close appoximations thereto, coupled with the rather limited imaginations of your typical skiddies means that originality in such matters is not common...)
I would also like to know if this is also an indicator of not having the patch for the Blaster worm.
Well, as we really have no idea what you actually have, it would be a tad tricky to say anything much useful about that... You have the machines though, so why don't you test them for the installation of the patch. As to the "big picture" of your question -- these machines could have almost anything distributed almost any way. The last few days exploits of the "Object Data Tag" vulnerability of MS03-032 have been popular for "distributing" all manner of scumware, so maybe they got smacked with one of those? Or maybe with any of dozens of other things. Have you sent the suspect file(s) from these machines to a couple of malware analysis labs? To save you looking them up, here are the suspicious file submission addresses of the better known AV developers: Command Software <virus () commandcom com> Computer Associates (US) <virus () ca com> Computer Associates (Vet/EZ) <ipevirus () vet com au> DialogueScience (Dr. Web) <Antivir () dials ru> Eset (NOD32) <sample () nod32 com> F-Secure Corp. <samples () f-secure com> Frisk Software (F-PROT) <viruslab () f-prot com> Grisoft (AVG) <virus () grisoft cz> H+BEDV (AntiVir): <virus () antivir de> Kaspersky Labs <newvirus () kaspersky com> Network Associates (McAfee) <virus_research () nai com> Norman (NVC) <analysis () norman no> Sophos Plc. <support () sophos com> Symantec (Norton) <avsubmit () symantec com> Trend Micro (PC-cillin) <virus_doctor () trendmicro com> (Trend may only accept files from users of its products) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Bojan Zdrnja (Sep 08)
- Re: Backdoor.Sdbot.N Question Nick FitzGerald (Sep 08)
- <Possible follow-ups>
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Jade E. Deane (Sep 08)
- Re: Backdoor.Sdbot.N Question cseagle (Sep 09)
- RE: Backdoor.Sdbot.N Question Nick Jacobsen (Sep 08)
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 09)