Author Topic: W32.Beagle.BY@mm  (Read 6070 times)

0 Members and 1 Guest are viewing this topic.

November 07, 2007, 03:56:31 am
Read 6070 times

Drusepth

  • Special Members
  • Full Member

  • Offline
  • *

  • 57
  • Personal Text
    Drusepth
    • Drusepth.net
I'm getting strange incoming connections on my router logs to my PC on port 9030, and so I was googling what it was used for and got these pages:
http://www.securityspace.com/smysecure/catid.html?id=54497
Quote
The remote host appears to be infected with the
W32.Beagle.BY@mm trojan. This trojan allows
remote access to your system via port 9030.

I'm on linux at the moment with 9030 closed, but am still getting incoming connections.  I was going to kill my windows partition anyway, but if anyone wants to know anything more about this backdoor or something, feel free to ask.  I'm also getting outgoing connections going out on port 9030.

This would also be a good time to talk about what you should do to secure the other computers on your network when you find one has a worm or other malware.  ;)

Also, on a most likely unrelated note, I'm getting excessive incoming connections trying port 5900 (vnc).

November 07, 2007, 10:55:13 am
Reply #1

sowhat-x

  • Guest
Quote
...this would also be a good time to talk about what you should do,
to secure the other computers on your network when you find one has a worm or other malware...

...hmmm,let me think...maybe also kill the rest of windows installations/partitions left around? :D ;D

Ok,besides the humouristic aspect of comparing *nix systems to win32...
I had encountered lots of Beagle/Bagle variants in file-sharing networks in the past...
these guys were making use of a pretty simple,
yet enough effective social-engineering trick,in order to disguise this crap...
they had filled the p2p networks with TONS of fake releases,
that had the word "fix" appended in their name...for example,
supposing that the search string's request was "videotutorials-Xvid.HQ.rar",
there would also be listed a "videotutorials.Xvid.HQ.fix.rar" as an option...
The first thought that would come to a user's mind,
is that the original archive had some kind of checksum corruption,
and that..."some nice guy out there",re-released a "corrected" version of it...

Haven't kept these samples unfortunately...maybe I should...
what I do remember though,is that say 80,or maybe even 90% of them,
were making use of PEiD sign fakers...yeah,sure...like this annoying stupid 'hack',
would made detection or analysis more difficult or so... :)

Quote
...excessive incoming connections trying port 5900...
I would bet this is last years' vnc-auth-bypass exploit scanning,
lots of bot sources have been modded with the addition of this feature...
Quite reasonable...after all,this was a pretty ridiculous exploit...  :(

November 07, 2007, 06:06:00 pm
Reply #2

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
I'm getting strange incoming connections on my router logs to my PC on port 9030, and so I was googling what it was used for and got these pages:
http://www.securityspace.com/smysecure/catid.html?id=54497
Quote
The remote host appears to be infected with the
W32.Beagle.BY@mm trojan. This trojan allows
remote access to your system via port 9030.

I'm on linux at the moment with 9030 closed, but am still getting incoming connections.  I was going to kill my windows partition anyway, but if anyone wants to know anything more about this backdoor or something, feel free to ask.  I'm also getting outgoing connections going out on port 9030.

This would also be a good time to talk about what you should do to secure the other computers on your network when you find one has a worm or other malware.  ;)

Also, on a most likely unrelated note, I'm getting excessive incoming connections trying port 5900 (vnc).

This is a good reason why users shouldn't rely too heavily on routers as a a complete solution to protect themself. They are not invincible behind it. While it adds a layer of protection for computers inside the network from computers outside the network, it also can add an extra chance of causing problems, for example if DoS exploits are discovered for the router firmware. If something does get onto a computer in the network then it can access computers from within the network with ease just as if the router wasn't there. Unless of course extra steps have been taken to secure things, but I think most home users just leave things pretty much default.

One of the best ways to protect yourself is also the simplest, keep the operating systems updated. Providing there are no problems updating this would only leave social engineering and zero day exploits.

Quote
...this would also be a good time to talk about what you should do,
to secure the other computers on your network when you find one has a worm or other malware...

...hmmm,let me think...maybe also kill the rest of windows installations/partitions left around? :D ;D

Ok,besides the humouristic aspect of comparing *nix systems to win32...
I had encountered lots of Beagle/Bagle variants in file-sharing networks in the past...
these guys were making use of a pretty simple,
yet enough effective social-engineering trick,in order to disguise this crap...
they had filled the p2p networks with TONS of fake releases,
that had the word "fix" appended in their name...for example,
supposing that the search string's request was "videotutorials-Xvid.HQ.rar",
there would also be listed a "videotutorials.Xvid.HQ.fix.rar" as an option...
The first thought that would come to a user's mind,
is that the original archive had some kind of checksum corruption,
and that..."some nice guy out there",re-released a "corrected" version of it...

Haven't kept these samples unfortunately...maybe I should...
what I do remember though,is that say 80,or maybe even 90% of them,
were making use of PEiD sign fakers...yeah,sure...like this annoying stupid 'hack',
would made detection or analysis more difficult or so... :)

Quote
...excessive incoming connections trying port 5900...
I would bet this is last years' vnc-auth-bypass exploit scanning,
lots of bot sources have been modded with the addition of this feature...
Quite reasonable...after all,this was a pretty ridiculous exploit...  :(

You can still find a lot of malware on most of the P2P networks. And there are so many out there that people use. Still using basic things like luring people in with hopes of finding pictures of their favorite celebrity naked etc.. You would think the people running the networks would try and do something to reduce the amount of malware spreading. Maybe they do and I'm just unaware of it.