[nsp-sec] Bracing For Impact... MS08-067
Nicholas Ianelli
ni at cert.org
Fri Oct 24 13:05:05 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>> These IP addresses are just getting pinged with the "abcde12345fghij6789" payload, right?
> I can confirm 202.108.22.44 and 64.233.189.147 - but not 212.227.93.146
Ok, so the code uses the IcmpSendEcho API:
http://msdn.microsoft.com/en-us/library/aa366050.aspx
Both 202.108.22.44 and 64.233.189.147 are located within the same
function, while 212.227.93.146 is off by itself with no cross references
to the code block.
Unless something jumps to that section in memory (which I doubt it
does), it will never get executed, hence the reason you are seeing any
traffic from this malware to 212.227.93.146.
FWIW, it would appear that 202.108.22.44 will be tried first. Based on
the results of a cmp, 64.233.189.147 may be tried, otherwise the
function returns.
Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkkCAEEACgkQi10dJIBjZIDHTACg3+j9lLyhi9IVSdovqfJceAca
XnkAoMIU27kI2fr10srwKor4xvc3sd5r
=bpYl
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list