MS05-039 reduex

It seems that at least two of he persons involved in creating the Zotob variants and at least some of the Mytob worms have been arrested. Evidently one of these guys paid the other one to asseble the worm code as discussed on the F-Secure Virus Blog.
“The big news of the weekend was the arrest of two guys related to the Zotob worms (“Diabl0” and “Coder”).

But who are these guys really? And who’s behind the other PnP worms that were found during the last two weeks?

Well, we know that “Diabl0″ had also authored several of the Mytob variants since February this year. However, he’s not behind all of them. There’s around 70 known variants of Mytob and practically all of them create botnets of the infected machines. Some of these botnets have been controlled by unrelated groups, such as Blackcarder. And we’ve found new Mytob variants just yesterday, which obviously are not written by Diabl0. So several people have access to Mytob source code and have been making their own variants.

However, we do know that Diabl0 aka Farid Essebar was associated with 0x90-Team. For example, some earlier Mytob variants downloaded additional components”

Now, notice that the “0x90-team” website was defaced with a lecture immediately after the arrests, hackers telling these guys to stop with the script-kiddie-ness basically. Now, that doesnt mean there is a certain amount if skill involved in reassembling a working worm from (mostly) pre-made code but there is also a degree of stupidity there as well. In explanation note that variants of both of these worms downloaded packages from the very same websites these guys were affiliated with. Hello? Other people (av vendors, Feds, etc.) will reverse engineer your code and get all of that information and hammer the offending ‘tard.

For instance, Jeffry Lee Parson (aka t33kid) thought he as “l337” when he reworked a copy of MS Blaster and released it into the wild. But guess what, t33kid was dumb enough to have the worm wget packages from his own webserver and the Feds reversed the code, checked the website and busted his ass.

I monitor an IDS system daily and see alot of people making this same mistake. Typically they will scan looking for a particular exploit (awstats, pnp, etc) and then have a wget request to some free webhost like geocities where they store the package. The biggest mistake is the package is typically an ircbot/bouncer of some sort and they include the IRC server, channel, bot name, admin name and associated passwords in the plain text code.

The point is this, theres more to hacking than ./’ing some script or worm, at least make the effort to fully understand the technology your working with, stupid != ub3r l337.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: