Honeypots
Re: botnet logs Nov 17 2008 05:48PM
Valdis Kletnieks vt edu
On Mon, 17 Nov 2008 10:15:06 EST, dxp said:

> Many trojans these days can easily bypass defautl firewall protection in
> XP Sp2. If any of those include self replication with exploit against
> some vulnerability (ms08-067) then history will be repeated, to a
> certain extent.

Read carefully what I said - the trojan needs to have *already* gotten into the
box to turn off the firewall. If you get a worm trying to exploit (for
example) ms08-067, and it tries to go scanning across a subnet to find
vulnerable boxes, it's simply not going to find a lot. Yes, it will find a
*few* older boxes that still don't have a good firewall - but for *most* of
them, the firewall will stop things before the packet gets in far enough to
exploit ms08-067.

(Of course, if you found a really cool exploit against the firewall code itself,
that allowed you to abuse the firewall to run your code before it rejected
your packet, you'd be on to something big... :)

Now, using that botted box as a fast-flux exploit-on-demand server that's
pointed to by a malicious URL planted elsewhere - *THAT* will work just fine.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFJIa6FcC3lWbTT17ARArr4AJ45FuOQIJCHdhUkzBjDTicXryOjVwCcC42D
AnZ0O/tx818HPukjSwaXbk4=
=DocP
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus