[18943] in bugtraq
Re: Bind 8 Exploit - Trojan
daemon@ATHENA.MIT.EDU (Talisker)
Fri Feb 2 03:10:08 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <014901c08c99$827eb200$d05d883e@home>
Date: Thu, 1 Feb 2001 21:54:05 -0000
Reply-To: Talisker <Talisker@NETWORKINTRUSION.CO.UK>
From: Talisker <Talisker@NETWORKINTRUSION.CO.UK>
X-To: Matt Lewis <matt@NINJAS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
> How did this get approved, did anyone test it or review it?
Didn't you? - I'd rather see the information despatched to us quickly and
treat it with caution, than have delays introduced whilst the code is
rigorously tested. The moderators already have a lot on their plate without
dumping this responsibility on them.
Take Care
Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
Security Tools Notification
http://groups.yahoo.com/group/security-tools/join
----- Original Message -----
From: "Matt Lewis" <matt@NINJAS.ORG>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Thursday, February 01, 2001 4:09 AM
Subject: Bind 8 Exploit - Trojan
> The Bind 8 Exploit sent to bugtraq users by "nobody@replay.com" is a
> Trojan, as I'm sure many have found out at this point.
>
> It attacks dns1.nai.com, and I haven't researched it extensively yet,
> wanted to get this out. There's quite possibly other things going on as
> well, locally.
>
> I straced it and got odd results, the last time I ran it, it didn't
> launch the attack. Shellcode analyzation would be required here.
>
> How did this get approved, did anyone test it or review it?
>
> You can see the IP address for dns1.nai.com listed in the shellcode
> included with the file. It forks off many copies of itself and violently
> attacks NAI's nameserver.
>
> I sent this out hastily, so forgive any mistakes made beyond the
> original observation of the attack.
>
> -Matt Lewis
>
