Date: Wed, 31 Jan 2001 20:09:33 -0800
From: Matt Lewis <matt@NINJAS.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Bind 8 Exploit - Trojan
The Bind 8 Exploit sent to bugtraq users by "nobody@replay.com" is a
Trojan, as I'm sure many have found out at this point.
It attacks dns1.nai.com, and I haven't researched it extensively yet,
wanted to get this out. There's quite possibly other things going on as
well, locally.
I straced it and got odd results, the last time I ran it, it didn't
launch the attack. Shellcode analyzation would be required here.
How did this get approved, did anyone test it or review it?
You can see the IP address for dns1.nai.com listed in the shellcode
included with the file. It forks off many copies of itself and violently
attacks NAI's nameserver.
I sent this out hastily, so forgive any mistakes made beyond the
original observation of the attack.
-Matt Lewis
