----- Original Message ----- From: "opticfiber" <opticfiberat_private> To: <incidentsat_private>; <full-disclosureat_private> Sent: Friday, August 08, 2003 12:15 PM Subject: [Full-Disclosure] Re: Secure.dcom.exe >I finally got a reply back from symantec regarding the file you posted to the list, >see below. Not the only change I made to the file was the extension from EXE to TXT > as to prevent accidental execution. as a response to.. > I did a search for Optix Pro and turned out a site that develops the > software. From what I can tell it's very similar to software based > trojans like bo2k, netbus ect...A detailed explanation of the trojan can > be found at this url > http://www.esecurityplanet.com/alerts/article.php/2197521 this is not "detailed" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ rather a joke, are there any real forensics people employed by any AV vendors? lol, looks like pada works REAL hard to by looking at http://www.pandasoftware.com/virus_info/encyclopedia/extended.aspx?idvirus=39542&sel=EXTRA ( theres a file with optix package called "FirewallsAVS.txt" ) a brief review will show: optix pro server is generaly 896k - ( 383k packed ) upx is the prefered method of packing and running "upx -d suspectfile.exe" should unpack a server for string analysis ( bintext by http://www.foundstone.com/ works great for this ) some unpacked strings: EES_Encrypt ( a "krew" packer ) CD tray is open! Blue Screen Complete! ( funny, commands embeded to do this are.. "aux\aux\d.t" and "con\con\d.t" ) Removing Enhanced Technology...Pls Wait... s7 special ( start method ) as well as full FTP commands Simply downloading the R.A.T and viewing the binaries, you should be able to compare the strings. As a further note on "worms" and the RPC-DCOM threat: utilising a program such as the type from the KaHT webdav auto-exploiter would automate this, looks like they already did it : http://www.terra.es/personal7/atar2000/kaht2.txt IMHO a worm is not needed by this exploit as its easy to scan, hack ( dcom.exe ), drop ( a real worm ( sdbot ring a bell? )) when using a autohacker that could easily be set up on zombied ( compromized ) systems to compromize, hack, drop with imunity. usefull info: http://www.giac.org/practical/GCIH/Paul_Mudgett_GCIH.pdf hope this helps, Donnie Werner http://e2-labs.com http://exploitlabs.com this could have been more detailed but im too busy doing XSS ( *wink* ) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 00:33:02 PDT