[unisog] new virus?

Jordan Wiens numatrix at ufl.edu
Thu Feb 24 18:21:37 GMT 2005


The writeups that most AV vendors do these days on the multi-faceted bots 
are pretty lame.  They usually just include some generic 'and does other 
stuff too' or don't even mention it at all.  Most of the bots these days 
come with a half dozen, or even dozens of exploits and attacks built right 
in.

Plus, most of the time the AV vendors are triggering on a generic piece of 
the code.  In other words, if a bot has code for a specific attack script 
or behavior, the AV will match on that even if the bot is morphed into 
something with a lot more attack capability.

So like I said, AV vendor writeups for all the bots these days tend not to 
be particularly useful.  And I don't blame them.  There's just too many of 
the darn things to keep track of.

-- 
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

On Thu, 24 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:

> I did run a Nessus scan against the box later yesterday.  The SA
> password was indeed blank.  You just can't get good help these days :-)
>
> What was and still is giving me pause however was that the virus in
> question was definitely doing a password hack against a variety of
> usernames, IE admin, SA, root etc.  But what we detected was a virus
> that McAfee said was using an LSASS vulnerability, which I'm fairly
> certain the machine was patched for.   I checked the patch logs, and the
> MS04-011 patch had been in place since it came out.
>
> Ideas?
>
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
>
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jordan Wiens
> Sent: Thursday, February 24, 2005 10:47 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] new virus?
>
> On Wed, 23 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:
>
>> We've recently had a minor outbreak (if there is such a thing) of a
>> virus that I'm having a hard to putting my finger on.
>>
>> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL
>> servers.  it seems to be doing some sort of a login attempt/attack.
>> My SQL sysadmin swears that the SA password wasn't blank, and there
>> were no SQL patches missing.
>
> Most of the *bots (sdbot,gaobot,agobot,whatever) are controlled via irc
> (as mentioned by another poster), and are manually controlled and told
> to spread.  It's quite likely the bots could attack in other ways it
> just so happens that that particular botnet controller is using mssql
> for now.
>
> Just for reference, I had an admin who had an mssql server that he swore
> did not have a blank SA password.  Nessus kept saying he did.  I finally
> connected remotely via the mssql manager without a password.  Then he
> believed me; though it took him three tries to successfully get a
> password on the account.
>
> That may not have been the cause in your situation, but it's much more
> likely than an mssql 0-day.
>
> --
> Jordan Wiens, CISSP
> UF Network Security Engineer
> (352)392-2061
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>



More information about the unisog mailing list