Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Top 20 update; IM malware and IRC bots are the flavor of the day; Sober variant

Published: 2005-05-02
Last Updated: 2005-05-02 20:37:13 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

SANS Top 20 Quarterly update



http://www.sans.org/top20/Q1-2005update/



On May 2, 2005, the sponsors of the Top20 project released the first installment in a new program of quarterly updates to the Top20. It updates the annual Top20 and provides an additional roadmap to the new vulnerabilities that must be eliminated in any Internet-connected organization.



IM malware and IRC bots are the flavor of the day





There were multiple reports this weekend of malware spreading via
AIM and other instant messaging, which then logged the compromised
systems into an IRC channel to be fed instructions on where to download
more nasties.

One organization noticed a heavy increase in arp and TCP port 445 traffic,
the infected systems were scanning locally, and then the outbound IRC traffic
was noticed.

1- Hey check this out
2- Click on link
3- Download and run goodies
4- Your computer isn't really answering to you anymore
5- Your computer logs into IRC all by itself
6- The new master tells your computer to download more goodies
7- More malware is downloaded and installed
8- Your computer is now sending 'hey check this out' to all your buddies on IM
9- Your computer is now infecting other computers by scanning them
10- Your computer is now sending our spam, viruses, and attacking others and
generally not doing anything useful that you would like it to do, it's too busy.

Aren't you glad you checked it out?



New Sober Variant




A new sober variant is making the rounds, spreading surprisingly quickly.
We have received multiple reports, the file name we have seen is our_secret.zip.
Your anti-virus vendor of choice will have named it something interesting,
with 'sober' somewhere in there.


http://vil.nai.com/vil/content/v_133409.htm



http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html



Cheers,

Adrien de Beaupr

Handler of the day

www.cinnabar.ca

Keywords:
0 comment(s)
Diary Archives