Re: Disabling QAZ (was Re: Port 139 scans)
On Fri, 29 Sep 2000, John Fraizer wrote:
It would be cool if someone would make a tool that would auto-disinfect users... Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly,
On Fri, 29 Sep 2000, Dan Hollis wrote: the one I'm thinking about is worded something like: "...any person who without authorization, accesses, modifies, deletes or destroys..."
A web page that users themselves must click "OK, disinfect me"? Seems authorization enough to me...
The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal.
When the user initiates the disinfection themselves? -Dan
I am willing to scrap together a script to shutdown the virus on an infected machine and put it in a CGI web page. I'm not sure about volume but initially I think I can host it. In the event my 1Mbit connection is overwhelmed I'll need another place.... What stops me at the moment is that I have no authorization to test against any infected machine. I need a target. I'm willing to also try for making the connection to the share and removing the infection but I'm not sure I can get it in time. At least a shutdown page would do something. I will start writing my code and await direct e-mail with authorization and a target IP address to test against. Note that I have plenty of potential test targets in my Samba logs :-( but no legal authority to connect to those machines. ----- Original Message ----- From: "Dan Hollis" <goemon@sasami.anime.net> To: <nanog@merit.edu> Sent: Friday, September 29, 2000 4:42 PM Subject: Re: Disabling QAZ (was Re: Port 139 scans)
On Fri, 29 Sep 2000, John Fraizer wrote:
It would be cool if someone would make a tool that would auto-disinfect users... Yep. The problem with that is that current laws on the books (in the US at least) make this an illegal solution. If memory serves me correctly,
On Fri, 29 Sep 2000, Dan Hollis wrote: the one I'm thinking about is worded something like: "...any person who without authorization, accesses, modifies, deletes or destroys..."
A web page that users themselves must click "OK, disinfect me"? Seems authorization enough to me...
The penalties are pretty stiff too. The best of intentions don't negate the fact that it's illegal.
When the user initiates the disinfection themselves?
-Dan
Please be aware, folks, that whoever is introducing this crap is probably reading this list. -- Alex Bligh VP Core Network, XO Communications - http://www.xo.com/ (formerly Nextlink Inc, Concentric Network Corporation GX Networks, Xara Networks)
At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
I am willing to scrap together a script to shutdown the virus on an infected machine and put it in a CGI web page.
Well, that solves the problem until the reboot. After that, the registry key opens that puppy right back up. The trick is to gut it COMPLETELY. This virus supposedly supports three commands : upload, run and quit. I can't get upload to work, and I lost the manpage(ha, ha). It is possible to upload a file (perhaps compiled c?) that rips out the registry entry and renames the appropriate files on reboot. In fact, one could (legality aside) write up the program to use QAZ as the delivery mechanism for its own death. There's something poetic about that... I have a copy of the worm zipped here- if you'd like it drop me a private email.
I'm not sure about volume but initially I think I can host it. In the event my 1Mbit connection is overwhelmed I'll need another place.... What stops me at the moment is that I have no authorization to test against any infected machine. I need a target.
I'd offer mine, but I have it isolated.
I'm willing to also try for making the connection to the share and removing the infection but I'm not sure I can get it in time. At least a shutdown page would do something.
Half measures merely delay the inevitable- I believe it is best to expunge it right off the bat and never have to deal with the recurrences.
I will start writing my code and await direct e-mail with authorization and a target IP address to test against. Note that I have plenty of potential test targets in my Samba logs :-( but no legal authority to connect to those machines.
My current thought is to simply put up a .reg and .bat file up on the web, with instructions on how to use it. Run the .reg to kill the registry key, and run the .bat file to rename the files after the reboot. Of course, it may be easier to simply have a standard email explaining the virus and the removal procedure (my current solution, if anyone wants a copy of the email drop me a line). I will stick with this approach unless the script fully removes (as opposed to temporarily disabling) the virus. Another interesting note- the virus will not allow your computer to reboot if someone is connected to the telnet port. On a side note, if anyone knows a good logfile parsing perl script that pulls out all the IP addresses in a log, I'd love a copy. I have one, but it is very clunky and I daresay a better perl coder than I has tackled this issue. I only ask because this worm has increased the number of other peoples(variously formatted) logfiles in my inbox by about 900%. :) --- Ben Browning <benb@oz.net> oz.net Network Operations Tel (206) 443-8000 Fax (206) 443-0500 http://www.oz.net/
Can't you just download a .reg file to the luser and instruct him to click on it? Or use one of the well-known SMB/CIFS exploits to make it execute your code - i.e., the .reg file? Also, variants I've seen replace NOTEPAD.EXE with a hacked version - they merely rename the real NOTEPAD.EXE, then substitute a larger one, for what it's worth. Ben Browning wrote:
At 05:02 PM 9/29/00 -0400, Dana Hudes wrote:
I am willing to scrap together a script to shutdown the virus on an infected machine and put it in a CGI web page.
Well, that solves the problem until the reboot. After that, the registry key opens that puppy right back up.
The trick is to gut it COMPLETELY.
This virus supposedly supports three commands : upload, run and quit. I can't get upload to work, and I lost the manpage(ha, ha). It is possible to upload a file (perhaps compiled c?) that rips out the registry entry and renames the appropriate files on reboot. In fact, one could (legality aside) write up the program to use QAZ as the delivery mechanism for its own death. There's something poetic about that...
I have a copy of the worm zipped here- if you'd like it drop me a private email.
I'm not sure about volume but initially I think I can host it. In the event my 1Mbit connection is overwhelmed I'll need another place.... What stops me at the moment is that I have no authorization to test against any infected machine. I need a target.
I'd offer mine, but I have it isolated.
I'm willing to also try for making the connection to the share and removing the infection but I'm not sure I can get it in time. At least a shutdown page would do something.
Half measures merely delay the inevitable- I believe it is best to expunge it right off the bat and never have to deal with the recurrences.
I will start writing my code and await direct e-mail with authorization and a target IP address to test against. Note that I have plenty of potential test targets in my Samba logs :-( but no legal authority to connect to those machines.
My current thought is to simply put up a .reg and .bat file up on the web, with instructions on how to use it. Run the .reg to kill the registry key, and run the .bat file to rename the files after the reboot. Of course, it may be easier to simply have a standard email explaining the virus and the removal procedure (my current solution, if anyone wants a copy of the email drop me a line). I will stick with this approach unless the script fully removes (as opposed to temporarily disabling) the virus.
Another interesting note- the virus will not allow your computer to reboot if someone is connected to the telnet port.
On a side note, if anyone knows a good logfile parsing perl script that pulls out all the IP addresses in a log, I'd love a copy. I have one, but it is very clunky and I daresay a better perl coder than I has tackled this issue. I only ask because this worm has increased the number of other peoples(variously formatted) logfiles in my inbox by about 900%. :)
--- Ben Browning <benb@oz.net> oz.net Network Operations Tel (206) 443-8000 Fax (206) 443-0500 http://www.oz.net/
-- ------------------------------------------------------------ Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
2000-09-29-18:51:16 Ben Browning:
On a side note, if anyone knows a good logfile parsing perl script that pulls out all the IP addresses in a log, I'd love a copy.
How about perl -lne 'print $1 for /(\d+\.\d+\.\d+\.\d+)/g' Take the output of that and feed it through dnsfilter (from djbdns, <URL:http://djbdns.org/>) and you can get the reverse lookups easy. Fast, too, especially if you're running dnscache for your recursive resolver. -Bennett
participants (6)
-
Alex Bligh
-
Ben Browning
-
Bennett Todd
-
Dan Hollis
-
Dana Hudes
-
Roland Dobbins