[Intrusions] MyDoom.M/O Registration Process
sekure
sekure at gmail.com
Thu Jul 29 18:08:34 GMT 2004
Has anyone written a tool to look at zincite.log file based on the
description of it in lurhq's doc?
On Wed, 28 Jul 2004 08:20:42 -0700 (PDT), Merton Campbell Crockett
<mcc at cato.gd-ais.com> wrote:
> On Wed, 28 Jul 2004, Joe Stewart wrote:
>
> > On Tuesday 27 July 2004 6:06 pm, Fitton, Robert (Bob) wrote:
> > > I observed the same phenomenon internally: infected machines on
> > > different VLANs were attempting to reach each other on tcp 1034 (but
> > > being blocked by inter-VLAN access lists). How did they learn about
> > > each other? Port 1034 is NOT open either incoming or outgoing
> > > through the firewalls.
> >
> > I've written up an analysis of how the whole MyDoom/Zincite/Zindos
> > system works. It explains how the infected machines know about each
> > other.
> >
> > http://www.lurhq.com/zindos.html
>
> Thanks for the pointer to your analysis.
>
> One thought that I had about "registration" was that the Apache server had
> a ScriptAlias defined that invoked a CGI that tracked the requesting IP
> address.
>
>
>
>
> --
> BEGIN: vcard
> VERSION: 3.0
> FN: Merton Campbell Crockett
> ORG: General Dynamics Advanced Information Systems;
> Intelligence and Exploitation Systems
> N: Crockett;Merton;Campbell
> EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
> TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
> TEL;TYPE=work,fax: +1(805)497-5050
> TEL;TYPE=cell,voice,msg: +1(805)377-6762
> END: vcard
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list