Security Incidents mailing list archives

Re: cuebot-d infection method

From: matt <matt () learnsecurityonline com>
Date: Fri, 26 Aug 2005 16:20:20 +0100

Jeff Bryner wrote:

I've seen a couple cuebot-d infections over the last couple days and am
trying to track down the source of them. Has anyone seen enough of this
to know the universe of ways the pc gets initially infected?

The pcs that have gotten infected have mcafee running on them  which
incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is
requested. It didn't seem to pick it up *until* a scan was requested.

The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
fits the scenario, but it doesn't say exactly what the initial
infection vector is.

Thanks for any help.

Jeff
CISSP, GCIH, GCFA

Sdbot has many infection vectors and is easy to modify. Usually as soonas a new MS bug is discovered somebody mods it into sdbot or one of thesevariants. I have seen an sdbot using about 20 different infectionmethods from lsass, ntpass/share cracking to the new win2k bug.


Regards

Matt
Learn Security Online, Inc.

* Security Games           * Simulators
* Challenge Servers       * Courses
* Hacking Competitions  * Hacklab Access

http://www.learnsecurityonline.com

Current thread:

Re: cuebot-d infection method, (continued)
- - Re: cuebot-d infection method Irwan Ismail (Aug 25)
    - RE: cuebot-d infection method Jason Burton (Aug 25)
  - Re: cuebot-d infection method Jayson Anderson (Aug 25)
    - Re: cuebot-d infection method Harlan Carvey (Aug 26)
    - Re: cuebot-d infection method Jeff Bryner (Aug 29)
    - Re: cuebot-d infection method Harlan Carvey (Aug 29)
    - Re: cuebot-d infection method Jayson Anderson (Aug 29)
    - Re: cuebot-d infection method Jose Nazario (Aug 29)
- Re: cuebot-d infection method terry white (Aug 24)
  - Re: cuebot-d infection method Jeff Bryner (Aug 25)
- Re: cuebot-d infection method matt (Aug 29)
  - Re: cuebot-d infection method Simon Borduas (Aug 29)