[Dshield] F-Secure: So who is Diabl0?

jayjwa jayjwa at atr2.ath.cx
Tue Aug 30 07:08:13 GMT 2005


On Mon, 29 Aug 2005, Stephane Grobety wrote:

-> In the script kiddies world, it's pretty common to take a binary, open
-> it with a hex editor and change some parts like IP addresses and
-> embedded strings to create a new variant of the worm: no source code
-> is used.

I disagree. It's not as easy as you think to just pop open a binary and 
start changing stuff. What about lengths of data and instructions in 
memory? You run into a big problem when what you want to change doesn't 
fit into the hardcoded structure of the binary you already have, so this 
doesn't work. Give it a try.

On the contrary, the source code for this stuff is all over the Internet, 
as I've posted about before. It's not hard to fill out a few values in a 
config file and then do something like:

make all

./bot


There are web sites where you can download this or that; F-Secure seems to 
know about alot of them themselves (but only reveals so after whomever 
stops/gets arrested). It's basically the same old stuff, repeated again 
and again: Windows viruses, rbot/Agobot. On Linux it's some exploit 
written in Perl that downloads a bot. Emech. RST virus. Last Handler's 
Diary refered to an awstats Shellbot. This downloads, you guessed it, 
Emech 2.81 (ftp.energymech.net) infected by RST (and connects to 
irc.undernet.org, user mask *@pinky.users.undernet.org, channel
is in the binary. They didn't even bother to strip out the debug 
symbols...) It happens all the time. Connect to irc.undernet.org sometime 
and pull the channel list. Take a look and see if you see a topic 
something like this:  !download http://some.site.net/some-bin.exe

You can get a nice bot collection by grep'ing that channel list:

egrep '\.exe$' channel.list


Only slightly more skill is needed to take part of one source and tack on 
another, especially when the exploit is already written by someone else 
who's already done the hard part, which is what I think we saw with Diabl0 
and some of the other PnP stuff.


People or business that get whacked by this stuff should feel ashamed: 
it's akin to leaving your car door open with the engine running all night 
in the middle of the city, then coming back in the morning and wondering 
where your car is. Sure they're the criminals, sure people that own the 
networks/computers should be able to keep their machines in whatever stage 
of unpatched-ness they so choose, but this is the Real World. There are 
people out there that do this sort of stuff. If I was responsible for a 
company such as CNN, or some other multi-billion dollar firm, you could be 
darn well sure I wouldn't be letting my networks fall prey to a kid that 
downloaded some point -n- click bot, worm or whatever.

jayjwa






More information about the list mailing list