[Intrusions] MyDoom.M/O Registration Process
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Wed Jul 28 15:20:42 GMT 2004
On Wed, 28 Jul 2004, Joe Stewart wrote:
> On Tuesday 27 July 2004 6:06 pm, Fitton, Robert (Bob) wrote:
> > I observed the same phenomenon internally: infected machines on
> > different VLANs were attempting to reach each other on tcp 1034 (but
> > being blocked by inter-VLAN access lists). How did they learn about
> > each other? Port 1034 is NOT open either incoming or outgoing
> > through the firewalls.
>
> I've written up an analysis of how the whole MyDoom/Zincite/Zindos
> system works. It explains how the infected machines know about each
> other.
>
> http://www.lurhq.com/zindos.html
Thanks for the pointer to your analysis.
One thought that I had about "registration" was that the Apache server had
a ScriptAlias defined that invoked a CGI that tracked the requesting IP
address.
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the Intrusions
mailing list