Trojan author revealed (was: Re: [Full-Disclosure] ProFTPD-1.2.9rc2 remote root exploit)
Cael Abal
lists at onryou.com
Sat Oct 25 01:35:24 BST 2003
> Hrmm. Ok I'm no Sherlock Holmes but even I could see through this
> 'analysis'. This is obviously an elaborate attempt to soil the reputations of the fine people, dare I say heros of information
> security, at GOBBLES security.
>
> Let's examine the case at hand:
>
> 1) Someone makes the effort of cutting up an existing public GOBBLES
> shellcode. An act that requires just as much effort as writing
> original opcode.
>
> 2) This cutup version is used in a 'trojan' even my grandmother
> would be able to spot. (Obscure in-exploit overflows are way more
> effective folks, ask HD "I pioneered screensavers" Moore).
>
> 3) Some random hero pops up on the list pointing out that
> 'hey, this is GOBBLES shellcode *WINK*'
>
> Now who, on God's green earth, would recognise shellcode from
> an obscure exploit that was published months ago. If they
> didn't have it fresh in memory?
>
> So I think it's rather obvious either zeroboy, or one of his
> friends is responsible for this trojan. And he has some sort of
> rancune towards GOBBLES. Either that or he
> has a serious hardon for memorising hex opcode buffers.
Hi, Mitch -- welcome to the Internet! Here's a tool you might find
helpful, it's called a 'Search Engine'! ;)
A quick google for a few bytes worth of shellcode returned a few pages
of jinglebellz.c related discussion.
http://www.jikos.cz/jikos/dev/shcode.asm for example.
C
Full-Disclosure is hosted and sponsored by Secunia.