Malware
1) One reader has submitted a malware which after running through VirusTotal detected it as a Linux backdoor:
Ikarus 0.2.59.0 12.10.2005 Backdoor.Perl.Whoredoor.08
Kaspersky 4.0.2.24 12.10.2005 Rootkit.Linux.Matrics.sk
McAfee 4647 12.09.2005 Linux/BackDoor
2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:
Body:
"Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware."
Clicking on the balloon will result in downloading a file from the Internet.
3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.
[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out.
Ikarus 0.2.59.0 12.10.2005 Backdoor.Perl.Whoredoor.08
Kaspersky 4.0.2.24 12.10.2005 Rootkit.Linux.Matrics.sk
McAfee 4647 12.09.2005 Linux/BackDoor
2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:
Body:
"Your computer is infected!
Windows has detected spyware infection.
It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.
Click here to protect your computer from spyware."
Clicking on the balloon will result in downloading a file from the Internet.
3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.
[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out.
Keywords:
0 comment(s)
Ethereal Vulnerability
iDefense has publised an advisory on Ethereal OSPF Protocol Dissector Buffer Overflow Vulnerability. Successful exploiting the vulnerability will result in DoS and may allow the execution of arbitrary code under certain conditions. For more details, please refer to iDefense advisory. Thanks to Juha-Matti.
Keywords:
0 comment(s)
Increase in Port 1025 scan
We have received a report on TCP port 1025 scan. David has observed an increase in port 1025 scan and submitted some packet captures to us. From the captured packet, it contains a request to interface UUID: 906b0ce0-c70b-1067-b317-00dd010662da and BuildContextW (opnum 7) RPC function. Part of the packet payload resembles the MSDTC exploit. This appears to be exploiting MS05-051 vulnerability as described in eEye advisory. If you have seen similar observation, do drop us a note.
Keywords:
0 comment(s)
×
Diary Archives
Comments