Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bot herds exploring vertical markets

Published: 2006-01-14
Last Updated: 2006-01-15 03:54:57 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Malware has become a business like any other over the last few year. Individual bot herds will grow, innovate, merge and well, sometimes even fold.

Visiting an IRC server used to control bots, the following message made perfect sense in that respect:

*** Topic for #-sd-bot: $xscan asn139 
200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024

The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:


/list
*** Channel Users Topic
*** #help 1 IF YOU ARE HERE ITS
BECAUSE I MIGHT HAVE
INFECTED ONE OF YOUR MACHINES, DONT WORRY
NOTHING IS GONNA BE HARMED
WITH THE DRONES, FOR FURTHER INFORMATION
ON REMOVALS PLS VISIT -
WWW . NORTONANTIVIRUSES . COM -
OR LEAVE A MSG KTHX.

We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.

This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.

Update:

This was posted to the 'funsec' list a while ago:

"So he changed his topic:

-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -

WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.


....however, I guess he didn't like the exposure...after a few hours:

-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
(#linuxsex@undernet))

-:- Connection closed from xx.43.235.xxx: Success
-:- BitchX: Servers exhausted. Restarting.
Score: ISC 1 - Burt0n 0
 :) 

Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':

"my connection aint secured, im str8 to you guys theres is no buisness market using my bots, I did not even noticed nortonantiviruses.com isnt the symantec site. SORRY. BYE."

Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.


Keywords:
0 comment(s)

TippingPoint IPS DoS (High CPU load)

Published: 2006-01-14
Last Updated: 2006-01-14 05:57:28 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
We are getting multiple reports of a DoS attack (causing high CPU load that prevents normal use) against TippingPoint IPS devices.

We got a call from TippingPoint, stating that in their opinion this is not a "DoS", but a "high load" issue.

For more details we'd like to urge customers to contact TippingPoint directly. They are working on a patch and advisory which should be available shortly.

Edit: We've received a report that TippingPoint has now released a patch for this issue.  The patch version is TOS 2.1.4.6324.

--
Swa Frantzen
Keywords:
0 comment(s)

Apple QuickTime and iTunes continued

Published: 2006-01-14
Last Updated: 2006-01-14 02:11:18 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Apple seems to hit a rough spot in the road with their latest patches.

iTunes

Accusations of the software's main new feature calling home with track and artist names of the files you play. Now of course that's needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it's better not to have the call home feature if you value privacy or just have too many mp3s ...

QuickTime

I have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I'm confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.

Of course if you produce movies quicktime's functionality might be more important than the security of your browser on the Internet and your risks might be different.
  • For general users, I would urge not to downgrade as you'll have the vulnerabilities back. Moreover the problems seem to be not that clear. I'm running the initial Quicktime 7.0.4 uprade and it works just fine.
  • Still the uninstaller is here should you not be able to continue without the old version.
Before some of our readers think I'm bashing Apple: I'm typing this on a Mac, a Mac I like a lot.
Before some think I love Apple for all they do: I don't, but that's another story.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives