Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Back to Green / Previous Sasser Traffic Analysis / Phatbot Source Code / Netsky.AC / CheckPoint VPN-1 Vulnerability

Published: 2004-05-04
Last Updated: 2004-05-05 20:18:48 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Back to Green

Yes...we are back to green. Things are quite calm, there is no new version of Sasser and no significant impact is being observed.
Some numbers about Sasser:

According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.

The Internet Storm Center numbers are close to Microsoft:

- 500k on May 1st

- 700k on May 2nd
Previous Sasser Traffic Analysis
After an analysis performed by our handlers (Tom Liston, Lorna
Hutcheson and Toby Kohlenberg) we have a reliable indication that there
were some attempts to include the HOD LSASS exploit code by SecurityLab
, public available at April 29, in the Agobot worm. We believe that
some tests were being done over the internet using a zombie network
with some code modifications, and that some people may had confused
it with the real Sasser worm.
Phatbot Source Code
After some rumors about the phatbot source code, it was made available
today in a post in some mailing lists. The pack includes not only the
source code but also documentation and some html FAQs.
More variants are expected.
Netsky.AC
The Sasser “fix“ hoax email, related yesterday on Handlers Diary is the
latest variation of the Netsky virus that tries to deliver itself as a
suppose tool to fix the sasser worm (also Netsky.AB, Beagle.AB,
Mydoom.F and MSBlast.B)
Reference: http://isc.sans.org/diary.php?date=2004-05-03

http://www.sarc.com/avcenter/venc/data/w32.netsky.ac@mm.html
VPN-1 vulnerability
Checkpoint just released an advisory about a vulnerability in ISAKMP
that affects the Check Point VPN-1 product.


According the advisory, the ISAKMP vulnerability may affect VPN-1 during "negotiations of a VPN tunnel which may cause a buffer overrun,
potentially compromising the gateway."


Checkpoint recommends that customers install an update on all enforcement modules.
References: http://www.checkpoint.com/techsupport/alerts/ike_vpn.html
---------------------------------------------------

Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
Diary Archives