Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-12-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

404dnserror Adware

Published: 2006-12-01
Last Updated: 2006-12-01 21:31:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Our read Tom sent us a note about a site called "404dnserror/dot/com" (DO NOT VISIT).

A user of his was infected with some spyware/adware. It kept redirecting them to the '404dnserror' page. The page looks like a generic server error, but also advertises an anti-spyware tool in the form of an ActiveX like installer toolbar at the top of the page. To save you the risk of exposing yourself to the site, I included a screen shot below (click on the image to see the full page).



Its probably save to block/montor access to this domain.

Keywords:
0 comment(s)

Technical Mujahid Magazine

Published: 2006-12-01
Last Updated: 2006-12-01 19:41:45 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
As Johannes pointed out in the earlier diary, an alert was issued a few hours ago concerning potential attacks aimed at banking and financial web sites.  DHS and others are in agreement that this is not a big deal and that the warning was issued as a prudent measure.  While doing some research on this issue, we found an announcement that a new magazine was available online.  Details are at the Middle East Media Research Center and the Search for International Terrorist Entities.  I don't speak or read Arabic, Farsi, or Urdo but if one of our readers can take a look at it and provide a quick translation that would be great!  We suspect that there might be a loose connection between the publication of the magazine and the alert.

UPDATE
For sake of completeness, here is the link to the SITE discussion about the original posting that set in motion this chain of events. 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

New Data Retention Rules Effective Today

Published: 2006-12-01
Last Updated: 2006-12-01 19:36:19 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This one hit me a bit by surprise. A couple readers wrote about it asking for advise. Our reader Steve found a good authoritative source at Lexis Nexis .
I am not a lawyer, and the article doesn't exactly provide anything new to me. As far as I know, electronic evidence like e-mail archives has been "fair game" for discovery all along and as a sysadmin you could get into trouble for deleting any archives after being asked not to do so.

You may just want to sent the link to your corporate lawyer and have them figure out if any policies need to be changed. This should only affect US based corporations.

Keywords:
0 comment(s)

Port 80 UDP Malware

Published: 2006-12-01
Last Updated: 2006-12-01 14:47:57 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Our reader Warren informed us that his office in China was infected by a rather nasty piece of malware. It flooded the network with UDP traffic on port 80 and was not recognized by any anti-virus tool. A single infected host sent 100 UDP packets / second.

Couple more hints that may help you identify this threat:

- The UDP port 80 traffic was directed at 222.208.183.72.
- The file name used by the malware is p2psvr.exe (sorry, the binary was not preserved in the cleanup :-( ).
- the machine was also infected with PR_LOOKED.lF (according to Trend Micro).

I assume that the malware attempts to sneak past lazy firewall rules that allow port 80 tcp and udp outbound. The target does not appear to be a "special" host, but a DDoS is possible as a motive for the UDP traffic.

Reminder: if you come across odd infections like that, please preserve the malware for analysis.

Keywords:
0 comment(s)

US DHS banking alert

Published: 2006-12-01
Last Updated: 2006-12-01 03:39:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A number of major news sites picked up on an alert issued by the US Department of Homeland Security (DHS), suggesting a major pending cyber attack by al Qaeda against US banking interests. The news coverage suggests that the attack will begin tomorrow and last until year's end.

The entire issue is probably best summarized by a quote from a DHS spokes person, published on CNN.com:

"There is no information to corroborate this aspirational threat. As a routine matter and out of an abundance of caution, US-CERT issued the situational awareness report to industry stakeholders,"

My short take on it: Make sure you follow best practices and keep your guard up. Its probably not going to be Al Qaeda, but someone will probe your defense tomorrow as they did today. And whatever helps against them will help if Al Qaeda should launch a cyber attack after all.

The Financial Services Information Sharing and Analysis Center (FS/ISAC) is currently posting a "Low Risk of Cyber Attacks" on its web site.

Keywords:
0 comment(s)
Diary Archives