Re: Deloder worm has resurfaced. Watch your privacy!
From: Kyle Lai (kyle@kylelai.com)
Date: 03/31/03
- Next message: °ΆΔΎ: "Re: i get problem with Routing & Remote Access Service"
- Previous message: Kyle Lai: "Re: Deloder worm has resurfaced. Watch your privacy!"
- In reply to: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: kyle@kylelai.com (Kyle Lai) Date: 30 Mar 2003 21:16:06 -0800
"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message news:<3e863279@clear.net.nz>...
> "Kyle Lai" <kyle@kylelai.com> to me:
>
> > CERT advisory, http://www.cert.org/advisories/CA-2003-08.html,
> > mentioend that 140,000 connections on an IRC network, which are the
> > systems infected with Deloder type of worms.
>
> How do you know that they are Deloder-ed systems? CERT claims that the
> 140,000+ network was a GT-bot network and as these IRC-controlled bot-nets
> usually use a specific IRC channel (or group of channels) they presumably
> made that claim because the channel(s) involved were configured in GT-bot
> samples retrieved from some of the affected machines. As GT-bot is not
> normally spread via open or weak-passworded Windows shares, I fail to see
> how CERT's claim of a 140,000+ GT-bot network translates to 140,000+
> possible Deloder infections.
>
Just to clarify, Deloder is a variant of GT Bot. My other analysis
was on a variant of GT Bot as well, the taskmngr.exe/ocxdll.exe
(IRC.BOUNCER), which hit the world badly and caught MS off guard back
in 8/2002. (http://www.klcconsulting.net/mirc_virus_analysis.htm).
I won't say that 140,000 systems are all infected with Deloder, but
many of them are. I can say that the number of infected systems since
CERT advisory definitely went up. No hard umber here, but refer to
SANS Internet Storm Center (www.incident.org) and you will see there
are extremely high port 445 (Deloder's target port) activities in the
US and East Asia in the past few weeks. Over 60% of the traffic
reported from East Asia is port 445 traffic, and from my fw log, I
have more evidence that Deloder is resurfacing.
Cheers,
/Kyle
Kyle Lai, CISSP, CISA
http://www.klcconsulting.net
- Next message: °ΆΔΎ: "Re: i get problem with Routing & Remote Access Service"
- Previous message: Kyle Lai: "Re: Deloder worm has resurfaced. Watch your privacy!"
- In reply to: Nick FitzGerald: "Re: Deloder worm has resurfaced. Watch your privacy!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
