Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-08-24 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Submitting Malware - Unpatched IE Hole Being Exploited - eJihad or iHysteria?

Published: 2004-08-24
Last Updated: 2004-08-25 04:43:56 UTC
by Cory Altheide (Version: 1)
0 comment(s)
Submitting Malware

ISC reader Chris Norton discovered an unknown binary in his C:\WINDOWS directory attempting to access the Internet last night. After a scan with an up-to-date virus scanner provided no salient information, Chris submitted the binary to the ISC, along with some preliminary analysis and supporting information. ISC handlers ran the code past numerous current antivirus products to no avail. The code was then submitted to antivirus vendors and analysis began.

The point to this story isn't the identification of the malware (a new variant in the Small Trojan/Downloader family) but the steps taken by Chris before submission. Chris did everything right, which made interaction with the ISC much more fruitful for all parties. We gladly accept all malware submissions (Tom Liston is looking for material for his upcoming novel "Malware and Me: A Love Story"), but by following a few simple guidelines, you can help us help you. [Cory, Cory, Cory... *I* know that when one uses a co-ordinate phrase as a subject, the proper form is, "Malware and I: A Love Story." Did Yul Brenner star in "The King and Me"? I think not... -TL]

1) Make sure to run the binary through *current* antivirus before submitting. Additionally, submitting the binary to a service like VirusTotal (
http://www.virustotal.com ) is a good way to get a multi-AV view of what exactly you've got your hands on.

2) Include as much relevant information as possible about the state this code was found in. This could include things like any actions that may have triggered the installation/execution, any system behavior that appears to be a result of this code, packet captures of traffic generated, any other files that appear to be related, etc.

3) If you're capable and willing, continue investigating on your own.* If nothing else, it's a great learning experience, and there's a good chance you'll be able to discover things the ISC won't, as you're in possession of the entire impacted machine, instead of a few small pieces. Keep the ISC informed of findings, though, if you do decide to investigate on your own - especially if you discover that it's some innocent program ten minutes after submitting it to us. ;)

*If you are acting as part of an organization with an established incident response policy, DO NOT investigate on your own. Your incident response team will likely be very upset at receiving freelance assistance.

Unpatched Internet Explorer Hole Being Actively Exploited

SP2 must have changed something in the Matrix, because I've got a case of deja-vu all over again! The ISC is receiving reports that a currently unpatched IE vulnerability ( discovered by http-equiv, details here:
http://secunia.com/advisories/12321 ) is being actively exploited in the wild. If you run across this *on a fully patched box* please submit the offending URL and any dropped (dragged 'n' dropped in this case) malcode to the ISC.

e-Jihad Begins Thursday, Internet Predicted to Melt Down by Mid-day

You should probably starting backing up that gig of gmail to local storage. According to a Russian news site, Kaspersky Labs states that terrorists will launch attacks which will paralyze the Internet this Thursday. This tragically coincides with two weeks of script kiddie attacks (which were scheduled to begin this past Sunday) aimed at disrupting the Republican national convention. In addition, many college students are back on campus this week, which provides the e-terrorists and i-subversives with a veritable candyland of insecure boxes on big pipes. Faced with this triple threat, our beloved Internet will surely fall.

The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long.

===============

Cory Altheide

Handler-on-Duty

===============
Keywords:
0 comment(s)
Diary Archives