That was just too cool. From: Randy
It's an iPhone Thang! Was learning cursive necessary? On Mar 27, 2012, at 6:00 AM, full-disclosure-requ...@lists.grok.org.uk wrote: > > > > > ------------------------------ > > Message: 2 > Date: Tue, 27 Mar 2012 03:19:22 +0000 > From: lawabidingciti...@mac.hush.com > Subject: [Full-disclosure] Please do not take down the Sality botnet > To: full-disclosure@lists.grok.org.uk > Message-ID: <20120327031923.20b3fe6...@smtp.hushmail.com> > Content-Type: text/plain; charset="utf-8" > > Hi all, > > I've spent some time over the last few days getting to know the Sality > botnet, which is estimated to have at least one million peers. It was > ranked by Symantec as the number one malicious code family in 2010 by > number of endpoint detections, and has been used to push spam, steal > passwords, crack SIP accounts, and various other nasty things. > > It has come to my attention that it is not only possible but easy to > seize control of version three of the botnet, and, more importantly, > take it down. Sadly, doing so would require breaking the law. For this > reason, I have to request that nobody perform the steps I am about > describe. You can find all the files mentioned below in this archive > (password: sality): > http://www7.zippyshare.com/d/65744138/9360/byesality.zip > > Firstly, you should *not* use SQL injection to exploit this site: > http://www.capesolution.com/login/login.aspx . Furthermore, you should > *not* upload an encrypted version of the AVG Sality removal utility to > /images/logo/logof.jpeg . Finally, you should *under no circumstance* > laugh maniacally as you watch a sizable botnet disintegrate before > your eyes. > > Although it shouldn't matter to anyone, this URL won't stay active for > long. When the authors of Sality remove this particular URL, or if > that SQL injection turns out to be difficult to leverage, you should > definitely *not* try to replace one of these files: > http://yaylaozu.com/images/logo.gif, > http://destekegitim.com/images/logo.gif, > http://dav14gurgaon.org/images/logo.gif, > http://dersrehberi.com/images/logo.gif, > http://cisse.com.tr/images/logo.gif, > http://cbe.com.vn/images/logo.gif. You should also *never* use the > provided Python script to get an updated list of targets from the P2P > network. > > Obviously this could be misused by unscrupulous individuals. For this > reason, I am not providing details on how to create a properly > encrypted executable, although I imagine some either already know or > will quickly figure it out. The payload is not malicious, but you > don't have to take my word for it. One can check it out in a VM via > the provided Sality sample by simply using fakedns and thttpd to serve > up the file to the virus, or by running/unpacking the provided > original. > > Thanks for taking the time to read this. I might release more notes on > various other pieces of Sality fun if and when the botnet is shut > down, but alas, this day may never come. It is unfortunate that I am > unable to do so now due to these legal issues, but, as I'm sure you > all know, it is more important to respect the law than to fix > anything. > > Sincerely, > A Law Abiding Citizen > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120327/30ea09b7/attachment-0001.html > > > ------------------------------ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/