Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spybot.zif - May Report Vulnerable Cisco Routers


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:48 PM

Posted 02 November 2005 - 08:04 AM

Spybot.ZIF - May report vulnerable CISCO routers to hackers

Spybot is used commonly by hackers as it represents it tries multiple approaches to find weaknesses in the security defenses, including both Microsoft and non-Microsoft vulnerabilities. Thus, it's important to patch everything, including CISCO routers as this new variant has the potential to report vulnerable ones back to these malicious groups of individuals.

Spybot.ZIF - Internet Storm Center Link

Spybot.ZIF - Symantec Link

W32.Spybot.ZIF is a network-aware worm that opens a back door on the compromised computer. It spreads by exploiting common system vulnerabilities.

METHODS OF INFECTION

The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption (described in Microsoft Security Bulletin MS04-007).
The Workstation Service Buffer Overrun vulnerability (as described in Microsoft Security Bulletin MS03-049).
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).
The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
EXISTING BACKDOORS: Spreads to computers compromised by the following threats: Backdoor.SubSeven, Backdoor.NetDevil, W32.MyDoom, W32.Beagle, Backdoor.Optix
Exploits weak username/passwords to spread over network shares and to the Microsoft SQL server environment

SYMPTOMS & ATTACK METHODS

Opens a back door by contacting an IRC server on the domain scv.unixirc.de, through TCP port 6667. This back door allows a remote attacker to perform the following actions on the compromised computer:

Start and stop threads and processes:
Start a SOCKS4 server
Start an HTTP server
Start an FTP server
Retrieve clipboard data
Sniff local network traffic
Run shell commands
Change IE start page
Flush DNS/ARP cache
Steal passwords from protected storage
Open and delete files
Download and execute files
Perform a denial of service (DOS) attack
View and delete registry keys
Obtain computer information such as CPU type, OS version, RAM, etc
Scan a specified network range for Cisco routers that may have vulnerable Telnet or HTTP servers running and report results back to IRC.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users