'analysis of Troj/Winser-A'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    analysis of Troj/Winser-A
From:       Steve Friedl <steve () unixwiz ! net>
Date:       2005-01-07 6:18:27
Message-ID: 20050107061827.GA20990 () linux ! unixwiz ! net
[Download RAW message or body]

Hello all,

The WINS worm that is running around was identified by Sophos as
"Troj/Winser-A", but I've not seen much discussion of the technical
details save for talk of the SNORT rules.

Lawrence Baldwin of www.MyNetWatchman.com captured this thing, and I've
been taking it apart over the last few days. It comes in two parts -
a standalone exploit program, plus a much larger IRC bot-type program.

My work-in-progress can be found here:

	http://www.unixwiz.net/research/winser-a.html

If others have posted better analysis, I'd love to know about it so I
don't waste any more time :-)

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@unixwiz.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic