Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-05-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

vmware 5.5.4 released

Published: 2007-05-01
Last Updated: 2007-05-01 22:13:53 UTC
by donald smith (Version: 1)
0 comment(s)
A new version of vmware workstation has been released (5.5.4).
It addresses several security vulnerabilities including overwriting
host os files, DOS and potential stack corruption.
CVEs: 2007-1337, 2007-1877, 2007-1069, 2007-1876, and 2007-1744.
Download it here:
http://www.vmware.com/download/ws/

Review security issues addressed here:
http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
Keywords:
0 comment(s)

www.virustotal.com minor web outage

Published: 2007-05-01
Last Updated: 2007-05-01 21:53:58 UTC
by donald smith (Version: 1)
0 comment(s)
www.virustotal.com is suffering from a minor web outage.
They are aware of the issue and it should be resolved soon.
In the mean time the email interface should still be working
so you may want to submit new viruses to them at scan@virustotal.com.

UPDATE www.virustotal.com is back on line and
when using the email submital method remember to put scan in the subject line.
Keywords:
0 comment(s)

VNC 'scans' with windows size of 55808

Published: 2007-05-01
Last Updated: 2007-05-01 19:28:07 UTC
by donald smith (Version: 1)
0 comment(s)
One of our readers wrote in with the following:
"Over the last couple days I've noticed a different type of 5900/TCP (VNC?) portscan/attack.
Port 5900 scans are not new, but this one is triggering a TCP Window size 55808 filter on our IPS.
The filter is patterned after:
Reference: CERT Incident http://www.cert.org/current/archive/2003/06/25/archive.html
Most of the source hosts are EDU's in the US and Taiwan."

So if you don't already have an IDS signature that looks for windows size of 55808 you may wish to add one.
If you do and you notice this I suspect its a bot probably sdbot but would like confirmation.
Keywords:
0 comment(s)

freeftpmanager p2psharing.biz trojan site!

Published: 2007-05-01
Last Updated: 2007-05-01 17:04:32 UTC
by donald smith (Version: 1)
0 comment(s)
WARNING do not visit this site nor attempt to download freeftpmanager you are likely to get infected.
Steve reported downloading “freeftpmanager”. He submitted it to virustotal.com and it is a virus but it is not well recognized.

Following his lead I see that wwwDOTfreeftpmanagerDOTcom redirects to wwwDOTp2psharingDOTbiz/freeftpmanger
So what is freeftpmanager?
Only two of the virus engines at VirusTotal recognize it. The rest came back clean.
File: freeftpman.exe
SHA-1 Digest: 793bcfefaf4f2a0f36c24aa823a5bf242a6873fa
Packers: Unknown
Status: Infected or Malware

Scanner Scanner_Version Result Scan Time
F-Secure 1.02 Trojan-Downloader.Win32.PurityScan.eg [AVP] 7.62644 secs
Sophos Sweep 4.16.0 Troj/Istbar-Fam 12.5367 secs

p2psharingDOTbiz also hosts Shareazalite and several other suspicious looking files.
It's ip is 68.178.211.35.
The abuse dept has been notified and is working on it at this time.
Keywords:
0 comment(s)
Diary Archives