Full Disclosure mailing list archives
Re: Bobax and Kibuv
From: joe smith <joe () joesmith homeip net>
Date: Sat, 24 Jan 2004 13:40:19 -0600
Ditto on Valdis comments except on the hookers part :)Another problem with both Kibub and Bobax is that they both use random port to download the binary from an infected host. I find it diffcult to write firewall rules for process that opens random ports ;)
Kibuv write up form Symantec:"Create a hidden remote shell process that will listen on a random TCP port. (This will allow an attacker to issue remote commands on an infected computer.). Use the shell on the remote computer to reconnect to the infected computer's FTP server. Retrieve a copy of the worm and then execute it."
Bobax write up from Symantec:"Sends shell code to the host on TCP port 445, attempting to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011 <http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>) on Windows XP. If it is successful, the code that is executed on the remote computer uses HTTP to force a connection back to the infected computer on a random port. Downloads and executes the worm."
Valdis.Kletnieks () vt edu wrote:
On Mon, 24 May 2004 17:41:34 +0200, Tobias Weisserth <tobias () weisserth de> said:I can't understand why it seems so hard to catch samples of worms that knock at my firewall 24/7. Just open the corresponding ports and forward them to a vulnerable machine on a different subnet (DMZ) and let the worms infect a machine you designated for this purpose.The only tricky part is catching *only* a Bobax and Kibov. I can guarantee that if you put the shields down low enough to catch something that beats on the LSASS, you'll catch something. The question is whether you'll catch a Bobax before you have to stop and throw a Sasser or other malware off the system.... It's kind of like trying to catch a chlamydia sample by banging hookers without a rubber - you'll probably catch it along with other stuff too....
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bobax and Kibuv joe smith (May 24)
- Re: Bobax and Kibuv Tobias Weisserth (May 24)
- Re: Bobax and Kibuv Valdis . Kletnieks (May 24)
- Re: Bobax and Kibuv joe smith (May 24)
- Re: Bobax and Kibuv Valdis . Kletnieks (May 24)
- Re: Bobax and Kibuv Tobias Weisserth (May 24)