Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SCANS, Babel (not Bagel/Bagle/Beagle) & Halloween

Published: 2004-10-31
Last Updated: 2004-11-01 22:33:40 UTC
by Patrick Nolan (Version: 1)
0 comment(s)


PORT SCANS

Port 53 scans are up a bit. Please submit any details of the activity if you're seeing it.

http://www.dshield.org/port_report.php?port=53

Who is looking for Apples for Halloween?
Scans directed at Port 548 are also up a bit, and in the United States during the celebration of Halloween (Trick or Treat!) it's not looked upon favorably if Apples have worms ( ; ^ ) (just to clarify the previous statement, it is an attempt at humor, there is no evidence that there's a worm out to eat Apple systems).

http://isc.sans.org/port_details.php?port=548
Taking a look for published vulns;

http://secunia.com/search/?search=Apple

http://www.osvdb.org/vendor_dict.php?section=vendor&id=2371&c=a
Select "Associated Vulnerabilities:"

Scans for Port 3306 are interesting and a bit more aggressive by a relatively few systems.

http://isc.sans.org/port_details.php?port=3306
Taking a look for published vulns;
http://secunia.com/search/?search=mysql

http://www.osvdb.org/vendor_dict.php?section=vendor&id=1181&c=M
Select "Associated Vulnerabilities:"



FROM THE MAILBAG

Readers submitted information covering a wide range of issues. Some aspects of responding to Diary Readers submissions of malware and the recent flurry of unique Bagle/Beagle definitions by each AV vendor amplify the need to support (in all ways possible) developing efforts to establish a common framework to expedite responses to outbreaks of malware.

McAfee AVERT (Anti-Virus Emergency Response Team), which has a great site (link below), has graciously shared the following information which is used here as a recent sample of the "Tower of Babel" problem;

What AVERT calls Bagle.BB:
Kaspersky I-Worm.Bagle.at
Symantec W32.Beagle@mm!cpl
Trend Micro WORM_BAGLE.AT
CA Win32/Bagle.AQ.CPL.Worm

What AVERT calls Bagle.BC:
Kaspersky I-Worm.Bagle.au
Symantec W32.Beagle.AU@mm
Trend Micro WORM_BAGLE.AN
CA Win32/Bagle.AP.Worm

What AVERT calls Bagle.BD:
Kaspersky I-Worm.Bagle.au
Symantec W32.Beagle.AW@mm
Trend Micro WORM_BAGLE.AU
CA Win32/Bagle.AQ.Worm

Having a common framework may also help differentiate why one vendor labels something a trojan and another vendor labels the same file a threat, and it would certainly help those whose resources do not allow for the use of "potentially unwanted", "threat" or "expanded threat" detection solutions.

The McAfee AVERT Website is at;
http://myavert.avertlabs.com/myavert/default.aspx?index=1

An effort related to solving one aspect of the Tower of Babel issue and that (imho) deserves widespread user support is the VGrep effort, which is "currently maintained by Dmitry Gryaznov, Senior Manager, Advanced Security Research, McAfee Security" and was "originally created by Ian Whalley". So if you use the site, please support it by giving the operators feedback on your use of it. Thanks gentlemen!

"About VGrep"
'That which we call a rose, By any other name would smell as sweet.'
-- Shakespeare, Romeo and Juliet
Anyone who has had any experience of the anti-virus world will know that a single virus can have several different names - anti-virus vendors are not obliged to conform to any naming conventions, nor do they tend to do so.

VGrep is a system designed to help clear up some of the confusion surrounding the naming of viruses. It works by running scanners across a large collection of virus-infected files, and parsing their output into a simple text database."
http://www.virusbtn.com/resources/vgrep/index.xml


In Summary, any efforts on your part to support developing initiatives in this area or that encourage your AV Vendor, the Open Source Community, Microsoft or interested elected officials and government agencies to accomplish something in this arena will pay tangible benefits to you in the future. And don't forget, this is one situation where you can vote twice or more. Vote with your wallet.

MORE FROM THE MAILBAG

We thank you for the information!

One submission was for an email that lead to a a "Postcard from the Edge". The report (and analysis of the malware) was of a website that is actively exploiting visitors using vulnerable browsers. The analysis and samples of malware were from reader Erik van Straten, who investigated a malicious email that he received directing the user to a webserver where they would read a postcard sent to them. It is apparent that the server has been active for more than 2 weeks and it has been reported. Thanks very much for the work Kevin! A portion of the exploit has been identified as exploit.CodeBaseExec and a description is here;

http://www.viruslist.com/en/viruslist.html?id=48896

AV vendors whose applications identified another component labelled it W32/Helodor.A@bd by F-Prot, Trojan.Win32.Helodor.gen by Kaspersky, Trj/Helodor.B by Panda and Backdoor.Guzu by Symantec. At this time the only available write-up that I could access was here;
Backdoor.Guzu

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.guzu.html


Phan Mail

We appreciate it!


Patrick Nolan

Support ACK to Pedro Bueno! Thanks!
Keywords:
0 comment(s)
Diary Archives