Comments on: Chinese hackers turn PCs into zombies with MS08-067 http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/ Sat, 24 Dec 2011 19:52:10 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: jumper http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1453 jumper Fri, 14 Nov 2008 19:24:09 +0000 http://www.thedarkvisitor.com/?p=729#comment-1453 There are separate checkboxes for TCP and SYN. They are for scanning port 445 for windows boxes that might be vulnerable. TCP is for full connect and SYN is for half open. The site field is where the pwn3d machine will download a backdoor from. This tool doesn't give you a shell or anything it uses a download and execute payload. The exploit was ripped from the Ph4nt0m code which you can find on milw0rm. You can use your own shellcode. The Ph4nt0m exploit just has a bind shell payload from metasploit. The author of the tool has removed it from his website without any explanation. Hopefully someone will post something to the boards tonight so we can figure out why. There are separate checkboxes for TCP and SYN. They are for scanning port 445 for windows boxes that might be vulnerable. TCP is for full connect and SYN is for half open.

The site field is where the pwn3d machine will download a backdoor from. This tool doesn’t give you a shell or anything it uses a download and execute payload.

The exploit was ripped from the Ph4nt0m code which you can find on milw0rm. You can use your own shellcode. The Ph4nt0m exploit just has a bind shell payload from metasploit.

The author of the tool has removed it from his website without any explanation. Hopefully someone will post something to the boards tonight so we can figure out why.

]]> By: CBRP1R8 http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1449 CBRP1R8 Fri, 14 Nov 2008 14:43:32 +0000 http://www.thedarkvisitor.com/?p=729#comment-1449 TCP SYN is probably a tcp syn flood attack scan which is why its setting the 800 thread threshhold to attempt. A lot of attack tools do utilize the syn flood attack scan. The site field is kinda handy though.....I just built out another linux server in our lab I think i'll load apche on it and make a fake website to serve this out on (if i can find it) within our lab see how and if our systems can be compromised and what other mitigation factors I can take with it since we have nokia firewalls in place too in the simlab I can test this from an outside environment look to get a feel for attack methodology. cheers for this find though, i'll keep an eye out for this to try to download. TCP SYN is probably a tcp syn flood attack scan which is why its setting the 800 thread threshhold to attempt. A lot of attack tools do utilize the syn flood attack scan.

The site field is kinda handy though…..I just built out another linux server in our lab I think i’ll load apche on it and make a fake website to serve this out on (if i can find it) within our lab see how and if our systems can be compromised and what other mitigation factors I can take with it since we have nokia firewalls in place too in the simlab I can test this from an outside environment look to get a feel for attack methodology.

cheers for this find though, i’ll keep an eye out for this to try to download.

]]> By: jumper http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1441 jumper Thu, 13 Nov 2008 16:06:31 +0000 http://www.thedarkvisitor.com/?p=729#comment-1441 The page link is just a discussion about the program. I think you have to get it from the author for now. It will eventually show up on all of the other tools sites though. It is pretty easy to figure out how to use it. Start IP: 11.22.33.44 End IP 44.33.22.11 Number of Threads: 800 Port: 445 Scan Type: TCP SYN Site to download trojan from: http://www.google.cn/server.exe =========================== 800 threads seems like a lot to me but I'm sure that is what that field is for. Under scan type, TCP probably means a full connect scan and SYN is half-open. The page link is just a discussion about the program. I think you have to get it from the author for now. It will eventually show up on all of the other tools sites though.

It is pretty easy to figure out how to use it.

Start IP: 11.22.33.44
End IP 44.33.22.11

Number of Threads: 800 Port: 445

Scan Type: TCP SYN

Site to download trojan from: http://www.google.cn/server.exe

===========================
800 threads seems like a lot to me but I’m sure that is what that field is for. Under scan type, TCP probably means a full connect scan and SYN is half-open.

]]> By: CBRP1R8 http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1440 CBRP1R8 Thu, 13 Nov 2008 14:15:17 +0000 http://www.thedarkvisitor.com/?p=729#comment-1440 to bad this isn't available in english. I wouldn't mind testing this out in my lab environment. I can't read anything on the page link :( to bad this isn’t available in english. I wouldn’t mind testing this out in my lab environment. I can’t read anything on the page link :(

]]> By: Heike http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1424 Heike Wed, 12 Nov 2008 04:00:14 +0000 http://www.thedarkvisitor.com/?p=729#comment-1424 Jumper, Try <a href="http://www.tuhigh.com/group/revertTopic/348/2682" rel="nofollow"> this address</a> Jumper,

Try this address

]]> By: Heike http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1423 Heike Wed, 12 Nov 2008 03:41:44 +0000 http://www.thedarkvisitor.com/?p=729#comment-1423 Good luck with that invite...I'll try to find another download site. ;) Good luck with that invite…I’ll try to find another download site. ;)

]]> By: jumper http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1422 jumper Wed, 12 Nov 2008 02:05:52 +0000 http://www.thedarkvisitor.com/?p=729#comment-1422 Thanks for tracking it down. I just need an invite to the VIP area of the site to DL it. If you controlled 100,000 computers, what would you install on them besides lolcats? Thanks for tracking it down. I just need an invite to the VIP area of the site to DL it.

If you controlled 100,000 computers, what would you install on them besides lolcats?

]]> By: Heike http://www.thedarkvisitor.com/2008/11/chinese-hackers-turn-pcs-into-zombies-with-ms08-067/comment-page-1/#comment-1421 Heike Tue, 11 Nov 2008 20:53:45 +0000 http://www.thedarkvisitor.com/?p=729#comment-1421 Jumper, You should have an e-mail with the download site for the program in your inbox. Happy hunting! Uhmmm, you're kidding about the photo-rotating kitten thingy, right?!? RIGHT?!! :) Jumper,

You should have an e-mail with the download site for the program in your inbox. Happy hunting!

Uhmmm, you’re kidding about the photo-rotating kitten thingy, right?!? RIGHT?!! :)

]]>