Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More on Registry Concealment; suspected Zotob author arrested

Published: 2005-08-26
Last Updated: 2005-08-27 17:26:40 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Long Registry Value Name Update



We keep receiving updates about the long registry value name issues. For some
product, you may see only alerts if the value associated with a long registry name matches given signatures. Alerts may not be generated just for having a long registry value name.



Spybot-S&D is able to check values with long names. RegAlyzer 1.1 and Spybot-S&D 1.4 (under the tools -> System Startup section in advanced mode) both do, in fact, see the values with long names and all subsequent values.



Also, note that the Cygwin ls tool mentioned yesterday will show the long value names, but complain about "filename too long".



All Seeing Eye from Fortego has been reported to catch the overly long registry values names properly



WARNING - Tom Liston's tool for looking for long registry value names WILL PEG YOUR PROCESSOR. Get over it.




Zotob arrests in Turkey and Morocco


http://www.map.ma/eng/sections/general/young_moroccan_hacke4792/view



and




"The arrest of the eighteen year-old hacker occurred upon the request of FBI, which traced virus back to a website in Morocco, DGSN said.



According to primary investigation, the hacker had accomplices in Turkey, the motive was financial, and he acted in connivance with groups specialised in bankcards forgery."



The two hackers 'Diabl0' (Farid Essebar) and "Coder" (Atilla Ekici) are suspected to be responsible for a number of Mytob an Zotob variants.

------------
Keywords:
0 comment(s)
Diary Archives