Re: cuebot-d infection method
From: matt (matt_at_learnsecurityonline.com)
Date: 08/26/05
- Previous message: Harlan Carvey: "Re: cuebot-d infection method"
- In reply to: Jeff Bryner: "cuebot-d infection method"
- Next in thread: Simon Borduas: "Re: cuebot-d infection method"
- Reply: Simon Borduas: "Re: cuebot-d infection method"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Aug 2005 16:20:20 +0100 To: jeff@jeffbryner.com, incidents@securityfocus.com
Jeff Bryner wrote:
>I've seen a couple cuebot-d infections over the last couple days and am
>trying to track down the source of them. Has anyone seen enough of this
>to know the universe of ways the pc gets initially infected?
>
>The pcs that have gotten infected have mcafee running on them which
>incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is
>requested. It didn't seem to pick it up *until* a scan was requested.
>
>The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
>fits the scenario, but it doesn't say exactly what the initial
>infection vector is.
>
>Thanks for any help.
>
>Jeff
>CISSP, GCIH, GCFA
>
>
Sdbot has many infection vectors and is easy to modify. Usually as soon
as a new MS bug is discovered somebody mods it into sdbot or one of these
variants. I have seen an sdbot using about 20 different infection
methods from lsass, ntpass/share cracking to the new win2k bug.
Regards
Matt
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
http://www.learnsecurityonline.com
- Previous message: Harlan Carvey: "Re: cuebot-d infection method"
- In reply to: Jeff Bryner: "cuebot-d infection method"
- Next in thread: Simon Borduas: "Re: cuebot-d infection method"
- Reply: Simon Borduas: "Re: cuebot-d infection method"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
