Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Still More MyDoom, a Few Twists on IDS, and a New Phishing Threat

Published: 2004-08-16
Last Updated: 2004-08-17 18:30:32 UTC
by George Bakos (Version: 1)
0 comment(s)
Today's Highlights -

- Mydoom.s, yet another MyDoom variant

- Virus detection with Snort

- Switch Port Monitoring

- A New Twist to Phishing Reported


Mydoom.s, yet another MyDoom variant

Conrad Longmore brought to our attention there's yet another new mydoom variant.
The MyDoom variant "MyDoom.S" is being spread en masse this Monday. Suggested is that it might be spread using a bot network created by the previous variant of the MyDoom worm.

The attachment seems to be named "photos_arc.exe".

- update your favorite anti-virus package

- educate your users not to click on attachments

Some URLs:

http://www.f-secure.com/v-descs/mydoom_s.shtml
http://www.sophos.com/virusinfo/analyses/w32mydooms.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127616
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.q@mm.html
http://www.viruslist.com/eng/alert.html?id=2047892
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=50987&sind=0
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39890
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A

[by Swa Frantzen, standing in for George]

Mydoom.s detection with Snort

For those feeling brave, there are bleeding edge Snort rules availble to detect this latest variant at: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/WORM_MyDoom.S?rev=1.2&content-type=text/vnd.viewcvs-markup
Thanks to Matt Jonkman for submitting that.

Speaking of Snort, viruses (virii?), and bleeding edge - Will Metcalf has put together a ClamAV preprocessor module for Snort, to alert on network traffic containing code that fires a Clam virus signature:
http://sourceforge.net/mailarchive/forum.php?thread_id=5338848&forum_id=7142

Switch Port Monitoring

A couple of days ago, I advised someone to monitor switch port activity for indications of unusual activity. For example, seeing a higher than usual frames-per-second count from a host during the wee hours may indicate a host is scanning or serving files. An unusually high number heading to a host may indicate a sniffer, etc. Andy Cuff of Talisker has put together a nice list of config settings for popular switches to make this a little easier:
http://www.securitywizardry.com/switch.htm

A New Twist to Phishing Reported

Dan Hubbard of Websense has reported a new trend in phishing:

We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.

Characteristics:


* no contact information

* no domain name

* many hosted in China or S Korea.

* no secure ordering process

* reported by thousands of spam engines


Report any phishing attempts you receive to:
http://www.antiphishing.org/report_phishing.html

Constant vigilance!

--Alastor Moody, Harry Potter and the Goblet of Fire
Keywords:
0 comment(s)
Diary Archives