Results 1 to 7 of 7

Thread: Latest Netsky variant

  1. #1
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Post Latest Netsky variant

    According to this article here, the latest variant of Netsky doesn't even need anyone to open an attachment as it uses XML (which can be rendered through an email client in a preview pane). Downright scary!

    This new V variant has malicious XML code hidden in the message body of the email. When a user opens the email to read it, the code automatically seeks out a known object validation vulnerability in Microsoft Corp.'s Outlook and Internet Explorer software. The vulnerability allows the malicious code to be trusted, installed and executed on the local system.

    Once the computer is infected, the malicious code will install a backdoor that listens to TCP ports 5556 and 5557. Netsky-V is designed to launch denial-of-service attacks on several Web sites between April 22 and April 28. The sites to be attacked include kazaa.com; emule.de; cracks.am; freemule.net, and keygen.us.
    If you're using Outlook/IE/OE, better start looking for an alternate email client, however, it makes me wonder how much longer it is before we see a strain written to detect what client you're using (I use Opera's for example) and alter code accordingly...at run-time.

    EDIT: possible "workarounds" would be to immediately deny all traffic leaving out of ports 5550-5560 (if you have a software firewall or a router) to prevent your ISP shutting you down because you were part of a possible DDOS.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  2. #2
    The sites to be attacked include kazaa.com; emule.de; cracks.am; freemule.net, and keygen.us.
    I bet RIAA has a hand in this... ^_^ That is pretty freaky, however I use Mozilla. Also..., just turn off HTML.

    -Cheers-

  3. #3
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Agreed, and I'll only be using IE to "update" windows, rofl...

    Glad Opera's not tied to the system in any sense and will render XML just fine.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    maybe its just me but this virus sounds allot more like the work of the mydoom gang...opening ports to download smtp servers and DoSing sites to cover their intentions
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    maybe its just me but this virus sounds allot more like the work of the mydoom gang...opening ports to download smtp servers and DoSing sites to cover their intentions
    You think it's spammers using DoS as cover to get SMTP servers/mass mail?

    -Cheers-

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    IMHO,

    The preview pane should not be there anyway..................it is a damn stupid idea.............all you need is one e-mail with a corrupted header and that freezes your box...........then you have to reboot.......................then you want to delete the offending item.................so you open the e-mail client and it immediately "previews" the corrupted header of the first record..........

    Could keep a guy amused for hours

    My message is DISABLE the preview pane in ALL mail servers that have one.

    Cheers

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    PM8228 not actually the spammers but a group of black hats (looks like russians) that are spreading thier back doors using worms. they upload smtp engines then sell them to spammers. the original netsky gang was warring with the doom group by releasing netsky which killed the back doors and removed the reg entries for various worms put out by the 'doom' group. they were also making threat to each other in comments in the code of the worm itself. the original mydoom was aimmed to DoS sco's site but these cats could really care less about sco and corporate struggles. they steal identies and and hi-jack computers to be sold to spammers. DoSing the site was just a deversion. so i guess the answer would be yes i do think that. i just find it an interesting turn that the name netsky is being used for a 'mydoom gangs' type worm.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •