Last Updated: 2004-08-26 20:51:29 UTC
by Marcus Sachs (Version: 1)
Insider Threat Paper The CERT Coordination Center recently published an excellent paper on the insider threat facing banks and other financial institutions. This one is worth a read: http://www.cert.org/archive/pdf/bankfin040820.pdf
More Keylogging We had yet another report of keystroke logging, most likely by a Russian group. The keylogger sends data to an FTP site located in the 18.104.22.168 netblock. This block is assigned to an ISP in San Diego and they've been notified. Check your netflows for activity to this block and investigate if you find anything. Many of the keyloggers we are seeing are using FTP to transfer the captured data, so a simple Snort alert looking for outbound FTP connections or FTP commands might provide an early warning about a hijacked box.
Enough Translations, Thanks! We really appreciate all of the people who sent in translations for what was found in Joe's computer (Follow the Bouncing Malware, part II, http://isc.sans.org/diary.php?date=2004-08-23 .) I think that we've got it nailed down now as:
"Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!"
Hara Hara Mahadev is a war cry used by Maratha Warriors of old days from the state of Maharashtra in India. One can equate that to the Ranger's Warcry ("Rangers Lead the Way!")
Literally translated, the second line means, "If you are King then I am Ace of Spades."
Thanks, BSD Guy for the translation that makes the most sense.
Marcus H. Sachs
Handler on Duty
Please choose a specific diary above to comment