On Sun, 13 Oct 2002, Mikael Olsson wrote: > > know- I don't run Windows, so I haven't played with doing NetBIOS stuff > > and don't know what the normal programming sequence is for enumerating > > shares, and as we don't let customers expose NetBIOS ports at all, this > > was never high on my list of things to worry about. > > I've personally never seen share enumeration being done over port 137. > I have only seen it done over 139, and I guess it can be done over > port 445 as well. By "sequence" I meant "Do name lookup, then go enumerate shares." Depending on what the worm is written with, there could be a "go_check_for_shares()" that does a name lookup then enumerates the shares- sequence being a series of events, not a method. Sometimes the sequence of events can lead to clues about the author- and sometimes their toolset restricts how they perform certain functions (the last Windows malcode I had my hands on, for instance was written in Delphi- and I *know* from making feature requests and dealing with systems that can't talk SMTP right that most Delphi authors use components that they have no control over- those may have a particular sequence of events, or all the common examples of "how to do $foo" may use a particular sequence, such as "get computer name from IP address" then "go look for open shares.") I simply don't know enough about Windows programming to know if doing the name lookup gains something, or is normal, or rather is an artifact of a particular toolset (we have folks who track Windows malcode, I'm not one.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 06:12:19 PDT