RE: Remote Shell Trojan: Threat, Origin and the Solution

From: Jonathan Rickman (jonathanat_private)
Date: Mon Sep 10 2001 - 13:46:41 PDT

Next message: Russell Fulton: "Contact for McDonnell Douglas Corporation (NET-MDC-NET)"

Previous message: Matt Block: "RE: Remote Shell Trojan: Threat, Origin and the Solution"
In reply to: Matt Block: "RE: Remote Shell Trojan: Threat, Origin and the Solution"
Next in thread: Kevin Gagel: "Re: Remote Shell Trojan: Threat, Origin and the Solution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 10 Sep 2001, Matt Block wrote:

>  It compiles the executable (using a potentially
>  compromized gcc, ld, etc.) and copies it (using a potentially
>  compromized cp)

I think this needs to be emphasized...just in case anyone missed it.

"using a potentially compromised gcc, ld, etc."

"using a potentially compromised cp"

And, unless I'm mistaken, the resulting executable will then proceed
to re-infect everything after cleaning it first. Social engineering,
or major oversight???

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Contact for McDonnell Douglas Corporation (NET-MDC-NET)"
Previous message: Matt Block: "RE: Remote Shell Trojan: Threat, Origin and the Solution"
In reply to: Matt Block: "RE: Remote Shell Trojan: Threat, Origin and the Solution"
Next in thread: Kevin Gagel: "Re: Remote Shell Trojan: Threat, Origin and the Solution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 14:28:07 PDT