There was some discussion on Incidents last month about hidden Wingate proxy servers being installed on systems without the owner's knowledge, listening on non-standard ports. I have since done some research on these and have discovered they are being installed by the Sobig.a (BigBoss) virus. This is something the AV companies missed in every analysis I have read. This is unfortunate because these proxies are being used in a big way by spammers. I have written an analysis of the method of infection from beginning to end: http://www.lurhq.com/sobig.html -Joe -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 14:25:06 PDT