[Intrusions] MyDoom.M/O Registration Process
sekure
sekure at gmail.com
Thu Jul 29 19:33:06 GMT 2004
Does anyone have a sample zincite.log file they could send me, I am
bored and would like to try writing a util to decrypt the log?
On Thu, 29 Jul 2004 14:08:34 -0400, sekure <sekure at gmail.com> wrote:
> Has anyone written a tool to look at zincite.log file based on the
> description of it in lurhq's doc?
>
>
>
> On Wed, 28 Jul 2004 08:20:42 -0700 (PDT), Merton Campbell Crockett
> <mcc at cato.gd-ais.com> wrote:
> > On Wed, 28 Jul 2004, Joe Stewart wrote:
> >
> > > On Tuesday 27 July 2004 6:06 pm, Fitton, Robert (Bob) wrote:
> > > > I observed the same phenomenon internally: infected machines on
> > > > different VLANs were attempting to reach each other on tcp 1034 (but
> > > > being blocked by inter-VLAN access lists). How did they learn about
> > > > each other? Port 1034 is NOT open either incoming or outgoing
> > > > through the firewalls.
> > >
> > > I've written up an analysis of how the whole MyDoom/Zincite/Zindos
> > > system works. It explains how the infected machines know about each
> > > other.
> > >
> > > http://www.lurhq.com/zindos.html
> >
> > Thanks for the pointer to your analysis.
> >
> > One thought that I had about "registration" was that the Apache server had
> > a ScriptAlias defined that invoked a CGI that tracked the requesting IP
> > address.
> >
> >
> >
> >
> > --
> > BEGIN: vcard
> > VERSION: 3.0
> > FN: Merton Campbell Crockett
> > ORG: General Dynamics Advanced Information Systems;
> > Intelligence and Exploitation Systems
> > N: Crockett;Merton;Campbell
> > EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
> > TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
> > TEL;TYPE=work,fax: +1(805)497-5050
> > TEL;TYPE=cell,voice,msg: +1(805)377-6762
> > END: vcard
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
>
More information about the Intrusions
mailing list