LoL its a good thing that Hush.com is also law abiding... On Tue, Mar 27, 2012 at 03:19:22AM +0000, lawabidingciti...@mac.hush.com wrote: > Hi all, > > I've spent some time over the last few days getting to know the Sality > botnet, which is estimated to have at least one million peers. It was > ranked by Symantec as the number one malicious code family in 2010 by > number of endpoint detections, and has been used to push spam, steal > passwords, crack SIP accounts, and various other nasty things. > > It has come to my attention that it is not only possible but easy to > seize control of version three of the botnet, and, more importantly, > take it down. Sadly, doing so would require breaking the law. For this > reason, I have to request that nobody perform the steps I am about > describe. You can find all the files mentioned below in this archive > (password: sality): > http://www7.zippyshare.com/d/65744138/9360/byesality.zip > > Firstly, you should *not* use SQL injection to exploit this site: > http://www.capesolution.com/login/login.aspx . Furthermore, you should > *not* upload an encrypted version of the AVG Sality removal utility to > /images/logo/logof.jpeg . Finally, you should *under no circumstance* > laugh maniacally as you watch a sizable botnet disintegrate before > your eyes. > > Although it shouldn't matter to anyone, this URL won't stay active for > long. When the authors of Sality remove this particular URL, or if > that SQL injection turns out to be difficult to leverage, you should > definitely *not* try to replace one of these files: > http://yaylaozu.com/images/logo.gif, > http://destekegitim.com/images/logo.gif, > http://dav14gurgaon.org/images/logo.gif, > http://dersrehberi.com/images/logo.gif, > http://cisse.com.tr/images/logo.gif, > http://cbe.com.vn/images/logo.gif. You should also *never* use the > provided Python script to get an updated list of targets from the P2P > network. > > Obviously this could be misused by unscrupulous individuals. For this > reason, I am not providing details on how to create a properly > encrypted executable, although I imagine some either already know or > will quickly figure it out. The payload is not malicious, but you > don't have to take my word for it. One can check it out in a VM via > the provided Sality sample by simply using fakedns and thttpd to serve > up the file to the virus, or by running/unpacking the provided > original. > > Thanks for taking the time to read this. I might release more notes on > various other pieces of Sality fun if and when the botnet is shut > down, but alas, this day may never come. It is unfortunate that I am > unable to do so now due to these legal issues, but, as I'm sure you > all know, it is more important to respect the law than to fix > anything. > > Sincerely, > A Law Abiding Citizen
> _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- ;s =; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/