Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

New SDBot variant

from [Christopher Harrington] Network Security [Permanent Link]
Subject: New SDBot variant
Date: Tue, 10 Aug 2004 14:59:58 -0400 
All,

We are seeing what may be a new variant of SDBot. This variant spreads by
exploiting the LSASS vulnerability. Once infected, the machine joins an IRC
Bot net via TCP 6667. Some of the infected machines then download an
executable via TFTP. This transfer is initiated over IRC. I have attached
the Bintext output and an md5 for the file. The executable is named
NTAPI32.exe and is downloaded to the system32 directory. The exe is 143.03
kb. I tried Symantec, Trend, F-Secure and Sophos...none could identify it. 

In the IRC logs there these entries:

PRIVMSG #irc :[lsass]: Exploiting IP: 10.x.x.x.
PRIVMSG #irc :[TFTP]: File transfer started to IP: 10.x.x.x
(C:\WINDOWS\System32\ntapi32.exe)

A quick (and untested :)) signature below:

alert tcp any any -> any any ( msg: "LSASS expolit via IRC, possible SDBot
variant"; content: ":[lsass]: Exploiting IP:"; classtype: misc-activity;
rev: 1;)
 
I will post more when I have it.

Regards,

--Chris

--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com

Attachment: NTAPI32.md5
Description: Binary data

Attachment: bintext.txt
Description: Text document

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • New SDBot variant, Christopher Harrington <=
Previous by Date:  New Mass Mailer Virus, Jeff pRICHER
Next by Date:  e-crime and computer evidence conference - CFP reminder, Angus Marshall
Previous by Thread:  New Mass Mailer Virus, Jeff pRICHER
Next by Thread:  e-crime and computer evidence conference - CFP reminder, Angus Marshall
Indexes:  [Date] [Thread] [Top] [All Lists]