[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?

To: "opticfiber" <opticfiber@topsight.net>, <incidents@securityfocus.com>, <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] RPC DCOM footprints - Symantec sucks?
From: "morning_wood" <se_cur_ity@hotmail.com>
Date: Sun, 10 Aug 2003 00:01:54 -0700

----- Original Message ----- 
From: "opticfiber" <opticfiber@topsight.net>
To: <incidents@securityfocus.com>; <full-disclosure@lists.netsys.com>
Sent: Friday, August 08, 2003 12:15 PM
Subject: [Full-Disclosure] Re: Secure.dcom.exe
>I finally got a reply back from symantec regarding the file you posted to
the list,
>see below. Not the only change I made to the file was the extension from
EXE to TXT
> as to prevent accidental execution.

as a response to..

> I did a search for Optix Pro and turned out a site that develops the
> software. From what I can tell it's very similar to software based
> trojans like bo2k, netbus ect...A detailed explanation of the trojan can
> be found at this url
> http://www.esecurityplanet.com/alerts/article.php/2197521

this is not "detailed" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
rather a joke, are there any real forensics people employed by any AV
vendors?
lol, looks like pada works REAL hard to by looking at
http://www.pandasoftware.com/virus_info/encyclopedia/extended.aspx?idvirus=39542&sel=EXTRA
( theres a file with optix package called "FirewallsAVS.txt" )

a brief review will show:

optix pro server is generaly 896k - ( 383k packed )

upx is the prefered method of packing and running
"upx -d suspectfile.exe" should unpack a server for
string analysis ( bintext by http://www.foundstone.com/ works great for
this )

some unpacked strings:

EES_Encrypt
( a "krew" packer )
CD tray is open!
Blue Screen Complete!
( funny, commands embeded to do this are.. "aux\aux\d.t" and
"con\con\d.t" )
Removing Enhanced Technology...Pls Wait...
s7 special
( start method )

as well as full FTP commands

Simply downloading the R.A.T and viewing the binaries, you should be able
to compare
the strings.

  As a further note on "worms" and the RPC-DCOM threat:
utilising a program such as the type from the KaHT webdav auto-exploiter
would automate this,
looks like they already did it :
http://www.terra.es/personal7/atar2000/kaht2.txt

IMHO a worm is not needed by this exploit as its easy to scan,
hack ( dcom.exe ),
drop ( a real worm (  sdbot ring a bell? ))
when using a autohacker that could easily be set up on zombied (
compromized ) systems to
compromize, hack, drop with imunity.

usefull info:
http://www.giac.org/practical/GCIH/Paul_Mudgett_GCIH.pdf

hope this helps,

Donnie Werner
http://e2-labs.com
http://exploitlabs.com

this could have been more detailed but im too busy doing XSS  ( *wink* )

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] RE: Secure.dcom.exe
  - From: opticfiber <opticfiber@topsight.net>
- [Full-Disclosure] Re: Secure.dcom.exe
  - From: opticfiber <opticfiber@topsight.net>

Prev by Date: Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe
Next by Date: [Full-Disclosure] Cox is blocking port 135
Prev by thread: Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe
Next by thread: [Full-Disclosure] Re: Vulnerability Disclosure Debate
Index(es):
- Date
- Thread