Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware

Published: 2005-12-10
Last Updated: 2005-12-11 08:53:07 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
1) One reader has submitted a malware which after running through VirusTotal detected it as a Linux backdoor:
Ikarus    0.2.59.0    12.10.2005    Backdoor.Perl.Whoredoor.08
Kaspersky    4.0.2.24    12.10.2005    Rootkit.Linux.Matrics.sk
McAfee    4647    12.09.2005    Linux/BackDoor

2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:

Body:
"Your computer is infected!
Windows has detected spyware infection.

It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware."

Clicking on the balloon will result in downloading a file from the Internet.

3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.

[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out. 
Keywords:
0 comment(s)

Ethereal Vulnerability

Published: 2005-12-10
Last Updated: 2005-12-10 18:29:33 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
iDefense has publised an advisory on Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability. Successful exploiting the vulnerability will result in DoS and may allow the execution of arbitrary code under certain conditions. For more details, please refer to iDefense advisory. Thanks to Juha-Matti.


Keywords:
0 comment(s)

Increase in Port 1025 scan

Published: 2005-12-10
Last Updated: 2005-12-10 17:57:47 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We have received a report on TCP port 1025 scan. David has observed an increase in port 1025 scan and submitted some packet captures to us. From the captured packet, it contains a request to interface UUID: 906b0ce0-c70b-1067-b317-00dd010662da and BuildContextW (opnum 7) RPC function. Part of the packet payload resembles the MSDTC exploit. This appears to be exploiting MS05-051 vulnerability as described in eEye advisory. If you have seen similar observation, do drop us a note.
Keywords:
0 comment(s)
Diary Archives