Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-09-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OT: Happy Labo(u)r day!

Published: 2008-09-01
Last Updated: 2008-09-01 22:05:50 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

The first Monday is traditionally the long weekend in North America, as we enjoy our last bit of summer now might be a good time to either reflect on all of the stuff that is going on at the office or to consider new ways to approach the badness impacting our environments 24/7 365.


Cheers,
Adrien

Keywords:
0 comment(s)

MX Records Disappearing?

Published: 2008-09-01
Last Updated: 2008-09-01 18:00:57 UTC
by John Bambenek (Version: 1)
1 comment(s)

A reader wrote in telling use a few big domains (mostly .edu at this point) have had their MX records disappearing.  Currently, I've verified the domains that were reported in fact do have problems with their MX records, but is anyone else seeing this?  A case of coincidence or a wider attack?  If you see any domains that had their MX records suddenly disappear, let me know.

--
John Bambenek
bambenek /at/ gmail \dot\ com

Keywords:
1 comment(s)

The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months

Published: 2008-09-01
Last Updated: 2008-09-01 16:16:33 UTC
by John Bambenek (Version: 1)
2 comment(s)

I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets.  One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled.  During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicated why this is so.  I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware.  The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact).  We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks.  Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware.  We at the ISC, and I'm sure many others, are working on ways to honeypot pure web-based attacks to capture this malware, but much work is left to be done.

It's one of the disadvantages of operating in a reactive fashion, we are behind the power curve for some time until we figure out a way to approach something close to parity. 

--
John Bambenek
bambenek /at/ gmail \dot\ com

2 comment(s)

Gustav Part IV - last list

Published: 2008-09-01
Last Updated: 2008-09-01 14:33:20 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

This will be the last list of domain names we publish related to hurricanes Gustav or Hanna.  We believe that everybody understands the issue, so after this diary there won't be any further lists.  Many of the domain names being registered are legitimate and are redirecting to sites that support law-abiding charities.  Unfortunately though, many more are either parked in a "for sale" status, or are associated with IP addresses known to host malicious software, spyware, or other hazardous content.

One of our readers, Greg, performed an analysis on the previous lists and found that a significant percentage of the hosting sites for the domains we listed aligned with sites he tracks for malware, botnet C&C, or organized crime.  Because of the possibility of false positives we won't list the correlations but we encourage you to work with content filtering services like BrightCloud to assist in developing dynamic blocking rules for the protection of your customers and employees.

One more item of note, while doing this research we found that somebody is getting way ahead of the game and has registered most of the future hurricane names found on the NOAA web site.  Why wait for the storm when you can go ahead and own the name now?  Sheesh.

Here's the list of domains related to hurricanes Gustav and Hanna registered over the past 24 hours, according to Domain Tools.  Please examine each site and make your own determination about legitimacy.  Work with law enforcement officials if you suspect fraud or criminal activity.

aid4gustav.com
cleanupgustav.com
cleanupgustav.info
cleanupgustav.net
cleanupgustav.org
contributegustav.com
contributiongustav.com
donate2gustav.org
donationgustav.com
givetogustav.com
givetogustav.org
gustav08.info
gustavadjuster.com
gustavadvocacy.com
gustavadvocacy.net
gustavadvocacy.org
gustavaftermath.com
gustavaftermath.info
gustavaftermath.net
gustavaftermath.org
gustavaid.us
gustavaidnow.org
gustavalert.com
gustavangels.org
gustavassistance.com
gustavcare.com
gustavcare.org
gustavcleanup.com
gustavconstruction.com
gustavcontractors.com
gustavcontractorsstore.com
gustavcontribution.com
gustavcuba.com
gustavdestruction.com
gustavdisaster.com
gustavdisasterfund.org
gustaverelief.com
gustavevacuation.com
gustavevacuation.info
gustavevacuation.net
gustavevacuation.org
gustavevacuations.com
gustavfund.net
gustavgear.com
gustavgetaway.com
gustavgive.com
gustavgive.org
gustavhelp.info
gustavhelpers.com
gustavhelpers.info
gustavhelpers.net
gustavhelpfund.com
gustavhelpfund.org
gustavhelpinfo.com
gustavhelpinfo.org
gustavhouston.com
gustavimages.com
gustavinfo.org
gustavla.com
gustavlive.com
gustavlouisiana.com
gustavmississippi.com
gustavmodels.com
gustavnow.com
gustavpeoplesearch.com
gustavpeoplesearch.net
gustavpets.com
gustavphotos.com
gustavpics.com
gustavpublicadjuster.com
gustavreferrals.com
gustavreferrals.info
gustavreferrals.net
gustavreferrals.org
gustavrefugees.com
gustavrefugees.net
gustavrefugees.org
gustav-relief.com
gustavrelief.net
gustavrelief.us
gustavreliefhelp.us
gustavreport.com
gustavsolidarity.org
gustavstorm.biz
gustavstorm.us
gustavsucks.com
gustavsurvivor.org
gustavsurvivors.com
gustavtrack.com
gustavupdate.com
gustavvictims.info
gustavvictims.org
gustavvictims.us
gustavvideo.com
gustavwiki.com
hannaclaim.com
hannaclaimhelp.com
hannaclaimshelp.com
hannafund.com
hannasurvivor.org
help4gustav.com
help4gustav.org
helpgustav.com
helphurriancegustav.org
helphurricanegustavvictims.com
huracangustav.net
huracangustav.org
huricane-gustav.com
hurricane-gustav.info
hurricanegustav2008.net
hurricanegustav2008.org
hurricanegustavaftermath.com
hurricanegustavaid.org
hurricanegustavblog.com
hurricanegustavcare.com
hurricanegustavcontractor.com
hurricanegustavdisaster.com
hurricanegustavfacts.com
hurricanegustavforum.com
hurricanegustavfund.com
hurricanegustavhelp.com
hurricanegustavhelp.org
hurricanegustavinfo.com
hurricanegustavinfo.org
hurricanegustavinformation.com
hurricane-gustav-recovery.com
hurricanegustavrelieffund.com
hurricanegustavstories.com
hurricanegustavstory.com
hurricanegustavvictims.com
hurricanegustavvictims.net
hurricanegustavvideo.com
hurricanegustavvideos.com
hurricanevictimsgustav.com
hurricangustav08.com
neworleansgustav.com
rebuildinggustav.com
rncgustavfund.com
rncgustavrelief.com
rncgustavrelief.net
rncgustavrelief.org
stormhanna.com
supportgustavvictims.org
survivedgustav.org
thegustavblog.com
tsgustav.com
waitingforgustav.com
wwwgustav.com

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)

Gustav Part III

Published: 2008-09-01
Last Updated: 2008-09-01 02:01:24 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

I went back through our records and found that this past Tuesday was the starting point for Gustav-related domain names.  There may be more that are much older, but this seems to be related to the current events unfolding along the US gulf coast.  If you are keeping track, please add these domains to the lists we provided on Saturday and Sunday:

donategustav.com
gustav2008.com
gustavblog.com
gustavclaim.com
gustavclaimshelp.com
gustavclaimshelp.net
gustavclaimsolvers.com
gustavclaimsolvers.net
gustavclaimsolvers.org
gustavdamage.com
gustavdonate.com
gustavhq.com
gustavhurricane.com
gustav-hurricane.com
gustavhurricane.net
gustavhurricane.org
gustavinfo.com
gustavnews.com
gustavnola.com
gustavrecovery.net
gustavrelief.org
gustavsearch.com
gustavstorm.com
gustavstorm.org
gustavstory.com
gustavweather.com
hurricanegustafrelief.com
hurricanegustav.biz
hurricane-gustav.net
hurricane-gustav.org
hurricanegustav.us
hurricanegustav2008.com
hurricanegustavattorney.com
hurricanegustavattorney.net
hurricanegustavclaimhelp.com
hurricanegustavclaims.com
hurricanegustavdamage.com
hurricanegustavdamages.com
hurricanegustavlawyer.com
hurricanegustavlawyer.net
hurricanegustavnews.com
hurricanegustavpictures.com
hurricanegustavrelief.com
hurricanegustavresources.org
hurricanegustavroofhelp.com
hurricane-gustav-storm.com
hurricanegustavtracking.com
hurricanegustov.com
stormgustav.com
tropicalstormgustav.net

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
0 comment(s)
Diary Archives