North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Fwd: [cfgeeks] TOOLS FOR VANDALS

  • From: Chris Brenton
  • Date: Sat Feb 26 07:29:44 2000

Shawn McMahon wrote:
> 
> It is not only possible to launch an attack like this from home user's PCs,
> "rewted" by amateurs, but it looks like a part of this was indeed done that
> way.

This was run past us at GIAC a few weeks back. AFAIK, these are the
"facts" that are known so far:

This has only been found at one site in the wild (James Madison
University)
All systems are Windows 95 and 98
There have been 16 confirmed infections, with a potential for 149 total
(port scanned but not yet checked)
All systems checked so far are running BackOrifice
It is assumed that BO was used to load & config the DoS tool
The method of infection with BO is unknown, but is guessed to be an
e-mail attachment
All infected systems had no/outdated virus checking software (thus
nothing caught BO)
The DoS tool is named "service.exe" and is 23145 bytes in length
It is launched via
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The DoS tool listens on udp port 34555

Simple Nomad is about to make a post to Bugtraq that contains a complete
analysis of the tool including detection using netcat, how to clean,
password used, etc. Rather than steal his thunder I'll refer people
there for more info.

So while its possible to use cable & DSL Windows systems for this
attack, no one has found one as of yet.

> This mess is gonna suck to clean up.  Thanks, Microsoft, for all your
> help.  Too bad you were helping the wrong effing side...

Hummm. Not about to go down the "MS vs. Unix" road except to say it
happened on Linux & Solaris first. Its already a mess that sucks to
clean up. ;)

Cheers,
Chris
-- 
**************************************
[email protected]

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet