Re: [Full-Disclosure] Red Bull Worm
Why not call it SkyNet, after T3 ? SkyLined - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 17:53 Subject: [Full-Disclosure] Red Bull Worm Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:25 AM Subject: [Full-Disclosure] DCOM Worm/scanner/autorooter !!! Hello here, a new worm is on the wild, it uses the exploit released by k-otik (48 targets - http://www.k-otik.com/exploits/07.30.dcom48.c.php) look this shit : /* RPC DCOM WORM v 2.2 - * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * So PATCH PATCH PATCH and block the ports 135 - 139 -445 - 593 Regards. Stephen - Germany __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
I say CloseButNoCigar - FIGHT BACK AGAINST SPAM! Download Spam Inspector, the Award Winning Anti-Spam Filter http://mail.giantcompany.com - Original Message - From: Berend-Jan Wever [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:18 PM Subject: Re: [Full-Disclosure] Red Bull Worm Why not call it SkyNet, after T3 ? SkyLined - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 17:53 Subject: [Full-Disclosure] Red Bull Worm Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:25 AM Subject: [Full-Disclosure] DCOM Worm/scanner/autorooter !!! Hello here, a new worm is on the wild, it uses the exploit released by k-otik (48 targets - http://www.k-otik.com/exploits/07.30.dcom48.c.php) look this shit : /* RPC DCOM WORM v 2.2 - * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * So PATCH PATCH PATCH and block the ports 135 - 139 -445 - 593 Regards. Stephen - Germany __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Red Bull Worm
Because that movie sucked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: Thursday, August 07, 2003 12:19 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Red Bull Worm Why not call it SkyNet, after T3 ? SkyLined - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 17:53 Subject: [Full-Disclosure] Red Bull Worm Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:25 AM Subject: [Full-Disclosure] DCOM Worm/scanner/autorooter !!! Hello here, a new worm is on the wild, it uses the exploit released by k-otik (48 targets - http://www.k-otik.com/exploits/07.30.dcom48.c.php) look this shit : /* RPC DCOM WORM v 2.2 - * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * So PATCH PATCH PATCH and block the ports 135 - 139 -445 - 593 Regards. Stephen - Germany __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
Joel R. Helgeson wrote: Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Pardon me if I am just plain ignorant, but where is this worm, and how on earth is it more effective than Code Red ever was already if nobody is talking about it? The only evidence of a worm I have seen is one person showing comments supposedly from source code of some program calling itself a worm... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
My my, are we grumpy today :-) You said that this worm that, as far as anyone can tell, exists solely as a comment, is much more effective than Code Red ever was. Pardon me for pointing out your FUD. A worm will likely be created. If written even fairly well, it should be more effective than Code Red (whatever your definition of effective is). However, what was provided to the list wasn't of much use to anyone, so I was pointing out how premature it was to start labelling it. I'll resist the temptation of responding to your flames. Brian Joel R. Helgeson wrote: Ahem; 1) This is the list where exploits get posted. If/when a worm is released, this is where you'll hear about it first. Its usually created by someone who monitors the list. If early warnings are too much for you to handle, unsub from the list and wait to hear about this stuff on CNN. 2) Code Red infected IIS servers, used those infected servers to spread itself, and setup compromised machines to perform a massive DOS attack against the whitehouse.gov server at a predetermined date time. Pretty simple. 3) RPC/DCOM is running on every single Win2k, 2k3, XP NT4 machine on this side of the sun. No need to look for servers that are running IIS. If you were to compile the code, you'll see how devastatingly efficient this code is at providing you root access to any box you aim this thing at. 4) Once the machine is exploited, the box will establish an outbound connection to an FTP server, or IRC server to await further instructions. If you can't look at this fact alone and realize that this is a pretty big f***ing hole, you need to get yerself a new line of work. 5) People think that filtering ports on the firewall will prevent the bug from infecting them. All you need to do is email it into someone and have them double click. That virus would infect every server within the enterprise within seconds. If you think That'll never happen then just look at the message.zip virus that spreads. Every village has its idiot. 6) EVEN IF the code hasn't been worm-ified yet, it is only a matter of time. The exploit works, that much has been proven. 7) If you don't agree that this issue is MUCH LARGER than Code Red, well... its time for a new job. Regards, Joel - Original Message - From: Brian Eckman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:47 AM Subject: Re: [Full-Disclosure] Red Bull Worm Joel R. Helgeson wrote: Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Pardon me if I am just plain ignorant, but where is this worm, and how on earth is it more effective than Code Red ever was already if nobody is talking about it? The only evidence of a worm I have seen is one person showing comments supposedly from source code of some program calling itself a worm... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
Bassett, Mark wrote: What about what mobly posted earlier? snip FYI: Symantec's analysis http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cir ebot.html -Dave (snippage) Well, it technically isn't a worm. But don't take my word for it, as I am no expert. Symantec classifies it as a Trojan Horse, not a worm. On the KAV Web page (http://www.avp.ch/avpve/worms/win32/autorooter.stm), they state Even though this file package does not contain any auto-replication funnctions (sic), we still consider it much closer to being a worm-type program rather than merely a backdoor or a hacktool. OK, so I'll call it a worm for argument's sake. It restricts itself to roughly 5% of the possible IP space and only spreads via 445/tcp. Symantec's site is still saying 0-49 hosts infected in the first 4 days. I'd hardly say it's more effective than Code Red. Now, if someone takes it and turns it into an E-mail aware worm, and/or opens it's target IP range to the Internet at large, then it is a *different* worm (I'm still calling it a worm for argument's sake) and we're playing a whole different ballgame. I have IP addresses in the target range of this worm. I'm seeing lots of scanning for 445/tcp, but not coming from other addresses in it's target range. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
Ahem; 1) This is the list where exploits get posted. If/when a worm is released, this is where you'll hear about it first. Its usually created by someone who monitors the list. If early warnings are too much for you to handle, unsub from the list and wait to hear about this stuff on CNN. 2) Code Red infected IIS servers, used those infected servers to spread itself, and setup compromised machines to perform a massive DOS attack against the whitehouse.gov server at a predetermined date time. Pretty simple. 3) RPC/DCOM is running on every single Win2k, 2k3, XP NT4 machine on this side of the sun. No need to look for servers that are running IIS. If you were to compile the code, you'll see how devastatingly efficient this code is at providing you root access to any box you aim this thing at. 4) Once the machine is exploited, the box will establish an outbound connection to an FTP server, or IRC server to await further instructions. If you can't look at this fact alone and realize that this is a pretty big f***ing hole, you need to get yerself a new line of work. 5) People think that filtering ports on the firewall will prevent the bug from infecting them. All you need to do is email it into someone and have them double click. That virus would infect every server within the enterprise within seconds. If you think That'll never happen then just look at the message.zip virus that spreads. Every village has its idiot. 6) EVEN IF the code hasn't been worm-ified yet, it is only a matter of time. The exploit works, that much has been proven. 7) If you don't agree that this issue is MUCH LARGER than Code Red, well... its time for a new job. Regards, Joel - Original Message - From: Brian Eckman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:47 AM Subject: Re: [Full-Disclosure] Red Bull Worm Joel R. Helgeson wrote: Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Pardon me if I am just plain ignorant, but where is this worm, and how on earth is it more effective than Code Red ever was already if nobody is talking about it? The only evidence of a worm I have seen is one person showing comments supposedly from source code of some program calling itself a worm... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Bull Worm
On Thu, 07 Aug 2003 11:47:48 CDT, Brian Eckman [EMAIL PROTECTED] said: Pardon me if I am just plain ignorant, but where is this worm, and how on earth is it more effective than Code Red ever was already if nobody is talking about it? The only evidence of a worm I have seen is one person showing comments supposedly from source code of some program calling itself a worm... The monitors at www.dshield.org *are* showing a slight rise in port 445 and 135 events, and there's been a lot of chatter about widespread exploits. On the other hand, I've not seen any firm evidence it's made the jump from scanner/ exploit tool to worm - there's certainly no CodeRed-sized spike in the monitors (*YET* - if the worm has a slow first-phase deployment, things could get interesting later this week).. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Red Bull Worm
targets[] = { { [Win2k-Universal], 0x0018759F }, { [WinXP-Universal], 0x0100139d }, }, v; http://packetstorm.linuxsecurity.com/filedesc/oc192-dcom.c.html -KF Adam wrote: FYI - k-otik released a universal exploit that doesn't need 48 different offsets. It uses 2. One for win2k and one for XP. ( In case noone noticed ) Adam Richards Network Administrator WorldNet Communications, Inc. 318-213-9827 / Fax 318-213-8534 World Class Technology, Hometown Service -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joel R. Helgeson Sent: Thursday, August 07, 2003 10:54 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Red Bull Worm Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:25 AM Subject: [Full-Disclosure] DCOM Worm/scanner/autorooter !!! Hello here, a new worm is on the wild, it uses the exploit released by k-otik (48 targets - http://www.k-otik.com/exploits/07.30.dcom48.c.php) look this shit : /* RPC DCOM WORM v 2.2 - * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * So PATCH PATCH PATCH and block the ports 135 - 139 -445 - 593 Regards. Stephen - Germany __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html