Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Worm Installs Sniffer

Posted by CmdrTaco on from the hope-you're-using-ssl-for-everything dept.

fmorgan writes "Netcraft just posted a note saying that a new worm installs a network sniffer in the infected computers." When I read these things it kind of makes me wonder why it took this long. Update: 09/13 22:47 GMT by T : More innovation: Ant writes "The Register has a story about a piece of malware that 'talks' to victims. The Amus email worm uses Windows Speech Engine (which is built-in to Windows XP) to deliver a curious message to infected users. The message reads: "How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule." ("Gule. Gule" is Turkish for "Bye. Bye". "Hamsi" is a small fish, like an anchovy, found in the Black Sea). F-Secure has a copy of the sound file generated by the message."

7 of 491 comments (clear)

  1. How much longer? by cbrocious · · Score: 5, Interesting

    How much longer before worms use their own TCP/IP stack? Wouldn't much suprise me, and might be beneficial for getting around firewalls. Might be a cool little project to make a zoo virus that does it.

    --
    Disconnect and self-destruct, one bullet at a time.
  2. New worms... by Nos. · · Score: 5, Interesting

    The newest MyDoom variant has the author asking for a job...
    http://www.vnunet.com/news/1158043
    The arnus worm speaks to infected users.
    I don't know if I should laugh or cry. I just know I'm getting calls in the next few days because someone's computer says "How are you...".

  3. A few points by Meostro · · Score: 5, Interesting
    1. A Link to Trend Micro's SDBot.UH analysis

    2. I love the fact that this worm drops itself as BLING.EXE

    3. This worm uses carnivore network sniffer and checks for the following strings
    As Taco said, I'm surprised it's taken this long. Considering it uses 5 patched vulnerabilities I'd say you deserve what you get in this case.

    4. This is particularly... clever? It does all kinds of things that I would put in as feature requests for the perfect worm
    • It has 6 paths of infection: 5 vulnerabilities (as above) plus open shares
    • It attempts to steal CD keys for some games.
    • It installs a network sniffer
    • It has an interface with 26 commands that the bad guys can use on an 0wned box
    • It can log keystrokes
    It doesn't destory anything all by itself, although it probably crashes some boxen through the exploits (was that just Sasser, or is that part of the LSASS flaw?) It still sucks, but it's just an expected evolution.

    I'm still waiting for the really bad one...
    1. Re:A few points by Elwood+P+Dowd · · Score: 5, Interesting

      The really bad ones are already out in the wild, and they do not damage your data.

      They wait 'till you go to an HTTPS site and then they log your keystrokes. It's about cash money for the villains, and not doing anything to get caught.

      --

      There are no trails. There are no trees out here.
  4. What if someone made a worm that just........ by ARRRLovin · · Score: 5, Interesting

    ......ran windows update on all infected machines? Would people get pissed?

    --
    -Randy
  5. Re:yep! by f8free · · Score: 5, Interesting

    I've always wondered about that kind of thing... most especially, what's to stop the antivirus companies from writing their own virii?

    Not that they'd need to do it at this point, but talk about your perpetual business model...

  6. Re:yep! by One+Louder · · Score: 5, Interesting
    ...what's to stop the antivirus companies from writing their own virii?
    The competition.

    Imagine the publicity if an anti-virus software vendor were able to prove that a virus was produced by one of its competitors.