Several days ago, Lawrence Baldwin of myNetWatchman.com captured the
WINS exploit Trojan that's running around the internet right now, and
I've been digging in with some gusto. It's not really a worm, but it
does have an "autohack" mode and a botnet capability, so it's something
that probably deserves some attention.
Sophos has called this "Troj/Winser-A", but I have not seen any other
real analysis anywhere (including on the INCIDENTS list), so I'm posting
my work here. The analysis, including the binaries themselves, are at:
Analysis of the Troj/Winser-A Malware
http://www.unixwiz.net/research/winser-a.html
I am still pretty early in the process of the big Trojan - a colleague
who knows a bit about "the dark side" of IRC doesn't recognize it -
and anybody who wants my IDA Pro .idb files for analysis can have them
for the asking.
I'll update my page as I find more information.
Steve
--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve (at) unixwiz (dot) net [email concealed]
Several days ago, Lawrence Baldwin of myNetWatchman.com captured the
WINS exploit Trojan that's running around the internet right now, and
I've been digging in with some gusto. It's not really a worm, but it
does have an "autohack" mode and a botnet capability, so it's something
that probably deserves some attention.
Sophos has called this "Troj/Winser-A", but I have not seen any other
real analysis anywhere (including on the INCIDENTS list), so I'm posting
my work here. The analysis, including the binaries themselves, are at:
Analysis of the Troj/Winser-A Malware
http://www.unixwiz.net/research/winser-a.html
I am still pretty early in the process of the big Trojan - a colleague
who knows a bit about "the dark side" of IRC doesn't recognize it -
and anybody who wants my IDA Pro .idb files for analysis can have them
for the asking.
I'll update my page as I find more information.
Steve
--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve (at) unixwiz (dot) net [email concealed]
[ reply ]