Re: Deloder worm has resurfaced. Watch your privacy!

From: Kyle Lai (kyle@kylelai.com)
Date: 03/31/03 

From: kyle@kylelai.com (Kyle Lai)
Date: 30 Mar 2003 21:16:06 -0800

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message news:<3e863279@clear.net.nz>...
> "Kyle Lai" <kyle@kylelai.com> to me:
>
> > CERT advisory, http://www.cert.org/advisories/CA-2003-08.html,
> > mentioend that 140,000 connections on an IRC network, which are the
> > systems infected with Deloder type of worms.
>
> How do you know that they are Deloder-ed systems? CERT claims that the
> 140,000+ network was a GT-bot network and as these IRC-controlled bot-nets
> usually use a specific IRC channel (or group of channels) they presumably
> made that claim because the channel(s) involved were configured in GT-bot
> samples retrieved from some of the affected machines. As GT-bot is not
> normally spread via open or weak-passworded Windows shares, I fail to see
> how CERT's claim of a 140,000+ GT-bot network translates to 140,000+
> possible Deloder infections.
>
Just to clarify, Deloder is a variant of GT Bot. My other analysis
was on a variant of GT Bot as well, the taskmngr.exe/ocxdll.exe
(IRC.BOUNCER), which hit the world badly and caught MS off guard back
in 8/2002. (http://www.klcconsulting.net/mirc_virus_analysis.htm).

I won't say that 140,000 systems are all infected with Deloder, but
many of them are. I can say that the number of infected systems since
CERT advisory definitely went up. No hard umber here, but refer to
SANS Internet Storm Center (www.incident.org) and you will see there
are extremely high port 445 (Deloder's target port) activities in the
US and East Asia in the past few weeks. Over 60% of the traffic
reported from East Asia is port 445 traffic, and from my fw log, I
have more evidence that Deloder is resurfacing.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
http://www.klcconsulting.net

Relevant Pages

  • Re: Deloder worm has resurfaced. Watch your privacy!
    ... >> DeLoder worm has resurfaced during the past several days. ... > and your actions in publicly releasing the VNC password used by Deloder. ... > information security profession, or the Association; ...
    (comp.security.misc)
  • Re: Deloder worm has resurfaced. Watch your privacy!
    ... >> DeLoder worm has resurfaced during the past several days. ... > and your actions in publicly releasing the VNC password used by Deloder. ... > information security profession, or the Association; ...
    (microsoft.public.win2000.security)
  • Re: Deloder worm has resurfaced. Watch your privacy!
    ... >> systems infected with Deloder type of worms. ... CERT claims that the ... > possible Deloder infections. ... are extremely high port 445 activities in the ...
    (microsoft.public.win2000.security)