Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-28 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The most hated IP address of 2005 ?

Published: 2005-12-28
Last Updated: 2005-12-28 16:21:42 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Time for a little hall of shame. Is there any IP address range or individual IP address that was annoying the daylight out of you in 2005?  An address where you tried and tried to contact the ISP to have a malware, botnet controller, exploit page removed, but to no avail? Where exploits kept coming back again and again ?  Let us know, and we might share your story.  For starters, here is mine:

Most Hated Netblock:195.225.176.x - 195.225.177.x  (AS31159)
Provider: Netcathost, Kiev, Ukraine
Reason for claim to fame: Hosting exploits, browser hijackers and CoolWebSearch related annoyances since several months. Ignoring, bouncing, or rejecting any complaints to the abuse contacts.

Update: beehappyy.biz is being implicated in the currently ongoing WMF 0-day exploit mania. And guess what beehappyy.biz resolves to ? 195.225.176.38 - my favorite netblock again. Null-Routing, anyone?
Keywords:
0 comment(s)

Searching money, finding exploit

Published: 2005-12-28
Last Updated: 2005-12-28 08:27:43 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Every now and then, when using completely benign search terms in Google and others, the results that come out on top range from "not nice" to "outright hostile". We've received a report from a user who was looking for "money", and what he got presented with was a link to hxxp://hyipgoldinvest.com (dont click). The site is booby-trapped with an exploit variant of MS05-054 that is not yet detected by AV.  Conclusion: Careful what you click on. An URL returned by a search engine is not necessarily more trustworthy than one that you receive in a spam message that offers "che ap replcia wathces".
Keywords:
0 comment(s)

Possible IM attack gearing up.

Published: 2005-12-28
Last Updated: 2005-12-28 00:51:50 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We have received a few emails today advising us that users are receiving popups while on IM.  These emails try to convince you to click on a link that is purported to be MyPictures. It apparently attempts to install a version of SDBot.

Remember - Don't click on links in IM - ever.  A dog is not a dog in IM.  And Aunt Sally probably is not really Aunt Sally.




Keywords:
0 comment(s)
Diary Archives