Last Updated: 2005-05-02 20:37:13 UTC
by Adrien de Beaupre (Version: 1)
SANS Top 20 Quarterly update
On May 2, 2005, the sponsors of the Top20 project released the first installment in a new program of quarterly updates to the Top20. It updates the annual Top20 and provides an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization.
IM malware and IRC bots are the flavor of the day
There were multiple reports this weekend of malware spreading via
AIM and other instant messaging, which then logged the compromised
systems into an IRC channel to be fed instructions on where to download
One organization noticed a heavy increase in arp and TCP port 445 traffic,
the infected systems were scanning locally, and then the outbound IRC traffic
1- Hey check this out
2- Click on link
3- Download and run goodies
4- Your computer isn't really answering to you anymore
5- Your computer logs into IRC all by itself
6- The new master tells your computer to download more goodies
7- More malware is downloaded and installed
8- Your computer is now sending 'hey check this out' to all your buddies on IM
9- Your computer is now infecting other computers by scanning them
10- Your computer is now sending our spam, viruses, and attacking others and
generally not doing anything useful that you would like it to do, it's too busy.
Aren't you glad you checked it out?
New Sober Variant
A new sober variant is making the rounds, spreading surprisingly quickly.
We have received multiple reports, the file name we have seen is our_secret.zip.
Your anti-virus vendor of choice will have named it something interesting,
with 'sober' somewhere in there.
Adrien de Beaupré
Handler of the day
Please choose a specific diary above to comment