[Intrusions] Interesting little piece of malware...
Hubbard, Dan
dhubbard at websense.com
Wed Sep 22 17:22:39 GMT 2004
We have also identified websites (all in the .biz domain) which are
using the IE drag and drop vulnerability to spread this.
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Matthew Sowers
Sent: Tuesday, September 21, 2004 2:51 PM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] Interesting little piece of malware...
Actually r-bot does not spread like a virus or worm. So it would not
have been from an infected laptop and it would not have come across in
an email. R-bot is mostly transferred by tftp when the person running
the scanning portion of R-bot find an exploit they can use. From lsass
to dcom. They have it all. Yes it may have come from someone inside the
college but all that takes is someone getting on a machine there and
running the exe that has to be executed for r-bot to run. You can find
the information in the r-bot exe or the suspected file and it will tell
you what channels and what irc network the bot connects to. As to what
to tell management that's a hard one as more exploits come out they
will be added to the bots. Removing them can be difficult too as you can
make them install to whatever directory you want. Most AV will pick up
r-bot and rx-bot unless they have changed the header and that's not hard
to do with compression. Some of these script kiddies actually leave it
named r-bot. How pathetic is that.
Regards,
Matt Sowers
UAT Student Software Engineering Network Security
----- Original Message -----
From: Chris Norton<mailto:kicktd_list at hotmail.com>
To: Intrusions List (GCIA
Practicals)<mailto:intrusions at lists.sans.org>
Sent: Tuesday, September 21, 2004 7:49 AM
Subject: Re: [Intrusions] Interesting little piece of malware...
>Further, what do I tel management ... when
> they want to know how it got on here in the first place ?
Really it would be hard to tell how it got on your computers there
without
knowing the setup of your network, is everything behind a central
firewall
etc. It's possible a student with an infected laptop connected to the
network and it spread that way, or maybe someone checked their email
and got
it etc. There are several ways for worms/viruses etc. to sneak past
firewalls, all it takes is a human "host" to carry them past.
As for how to clean it out follow the instructions here for R-BOT:
http://www.sophos.com/virusinfo/analyses/w32rbotei.html<http://www.sopho
scom/virusinfo/analyses/w32rbotei.html>
--
Chris Norton
UAT Student Software Engineering Network Defense
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org<mailto:Intrusions at lists.sans.org>
http://www.dshield.org/mailman/listinfo/intrusions<http://www.dshield.or
g/mailman/listinfo/intrusions>
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list