Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] Events that zotob triggers?

from [Soldatov, Sergey V.] Network Security [Permanent Link]
Subject: Re: [ISSForum] Events that zotob triggers?
Date: Wed, 17 Aug 2005 10:08:56 +0400 
Hi.
Let's look for its description (the whole article see on symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html

... Attempts to open a back door through Port 8080 by connecting to the
following IP address:
72.20.27.115
TODO: create connection event for this.

...Connects to an IRC server on the domain
[http://]diabl0.turkcoders.net/[REMOVED] on TCP port 8080. This allows
unauthorized remote access to the compromised computer.
TODO: 1. create connection event for diabl0.turkcoders.net 8080/tcp. If
you'll catch a luck in resolving this name, please let me know, because
now I don't know what address is associated with diabl0.turkcoders.net
2. Monitor all IRC traffic. I'm not sure (please, someone form ISS, let
us know about this) if sensor will detect IRC traffic if it is flowing
through non-IRC ports, in this case - 8080

... Opens an FTP server on TCP port 33333.
TODO: create appropriate connection event. Use nmap to see if there are
workstation with this port opened in your LAN.

... Generates random IP address from the current IP address. The worm
does this by keeping the first two octets of the IP address on the
system and randomize the last two octets. For example, if the IP address
of the system is 192.168.0.1, the worm will attempt to infect IP
addresses beginning with 192.168.x.x.
...Sends packets to IP addresses generated at random based on the IP
address of the infected machine. The IP addresses use the first 2 octets
of the compromised computer, and randomly generated values for the third
and fourth octets. It will switch to entirely random IPs, after 32
failures on local IPs or after 512 failures, if it was successful at
least once.
TODO: In this case you'll see a great number of this events:
*_Port_Scan, *_Probe_*, *_Service_Sweep, Ping_Sweep, so, you should
monitor these events and pay attention on hosts that generate a lot of
such events.

... Attempts to spread by exploiting the following remote vulnerability:
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability
(described in Microsoft Security Bulletin MS05-039), using TCP port 445.
TODO: In this case you'll see SMB_Service_Sweep and PlugAndPlay_BO.
Monitor this signatures.

... Attempts to spread to computers with the above random IP address by
opening a backdoor using TCP port 8888 on the remote computer.
TODO: create a connection event on this port. Use nmap (because, I think
that it's the fastest way) to see if there are workstation with 8888/tcp
opened in your LAN.

Please, correct me if I somewhere wrong.

ANY feedback will be appreciated.

Thank you.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 
tel +7 095 777 77 07 (1613) 


-----Original Message-----
From: issforum-bounces@iss.net 
[mailto:issforum-bounces@iss.net] On Behalf Of Lawrence, Gabriel
Sent: Monday, August 15, 2005 7:13 PM
To: ISSForum@iss.net
Subject: [ISSForum] Events that zotob triggers?

Howdy,

I'm wondering if anyone out there has figured out the set of 
events that are fired when a machine infected with either of 
the zotob variants attempts to attack a machine with sever 
sensor and a machine with proventia desktop on them.

Thanks,
-gabe

------------------------------------
Gabriel Lawrence
ACT Data Security Manager, UC San Diego


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet 
Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISSForum] Proventia G in Passive Mode, Castaldo, Benny J
Next by Date:  Re: [ISSForum] Proventia G in Passive Mode, Palmer, Paul \(ISSAtlanta\)
Previous by Thread:  [ISSForum] Events that zotob triggers?, Lawrence, Gabriel
Next by Thread:  [ISSForum] Blackout or DO SCAN LIST help, Holger Reichert
Indexes:  [Date] [Thread] [Top] [All Lists]