Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-05-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malicious Content on the Web

Published: 2009-05-07
Last Updated: 2009-05-08 17:20:28 UTC
by Deborah Hale (Version: 2)
1 comment(s)

Today must be a full moon day!  We have had several reports of strange malicious content on otherwise good websites.   One of them is confirmed by Trend Micro.

The first is a fake/Trojanized Windows 7 Release Candidate (RC) build release.  The Trojan is being referred too as TROJ_DROPPER.SPX.  From Trend Micro's Release:


"It is a self extracting executable that contains two executables: one is the original Windows 7 RC build named SETUP.EXE, and the other is CODEC.EXE. Trend Micro detects CODEC.EXE as TROJ_AGENT.NICE. When an unsuspecting user executes the Trojanized setup file, the embedded malware is also executed. As a result, malicious routines of the embedded file are exhibited on the affected system."

The full article can be found at:

threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp

The second item is a possible infection your typical "your computer is infected, click here to scan and clean it" on the usatoday.com website. We have received more than one report of this but have not been able to confirm. We suspect if it indeed is there that it is an ad somewhere on their site. Several of the handlers have tried to find the offending ad and have so far been unsuccessful. We have contacted the appropriate individuals at usatoday.com to advise them of the reports.

If any of our other readers have seen this type of activity and can tell us what page were on and if a link or an ad was clicked on that triggered it we would like to hear from you so that we can pin point the problem and work with USAToday to get it cleaned up.

Other reports that we have received is that an adware program is being installed on computers when clicking on the link to get the free chicken coupon from Oprah's website.  I have sent an email to the webmaster and have heard nothing back yet.  The scary thing about the chicken coupon is that hundreds of people have downloaded this coupon.  Just think of all of the computers that now have the malware installed.  Again I can't confirm this because I haven't tried to download the coupon and I haven't heard anything back from their webmaster.

If you have any information about this we would like to hear about it too.

 

 

 

Keywords: malware
1 comment(s)

A packet challenge and how I solved it

Published: 2009-05-07
Last Updated: 2009-05-08 00:03:08 UTC
by Jim Clausing (Version: 1)
2 comment(s)

Yesterday morning (EDT in the US), our friend Chris Christianson twittered the following:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264   

I didn't see it in time to win his little challenge, but I figured I'd throw out how I decoded it and how I would have responded had @quine not already beaten me to it.  It was pretty obviously (well, to us packet geeks anyway) an IPv4 packet in hex, so I copied the text and saved it in a text file (though I could have just used echo, but I thought I might want to go back to it) named foocap.txt.  Then I ran the following (note, text2pcap is part of the wireshark package, so that and tcpdump both need to be installed on your linux box to do this):

 

jac@cantor[531]$ cat foocap.txt | perl -pe 'print "000000 ";s/(..)(..)\s/$1." ".$2." "/ge' | \
text2pcap -e 0x800 - - | tcpdump -Xnnr - 
Input from: Standard input
Output to: Standard output
Generate dummy Ethernet header: Protocol: 0x800
Wrote packet of 54 bytes at 0
Read 1 potential packet, wrote 1 packet
reading from file -, link-type EN10MB (Ethernet)
11:10:08.000000 IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23079, seq 512, length 34
    0x0000:  4500 0036 308b 0000 4001 0000 7f00 0001  E..60...@.......
    0x0010:  7f00 0001 0800 89f3 5a27 0200 3173 7432  ........Z'..1st2
    0x0020:  444d 6d65 6765 7473 4153 7461 7262 7563  DMmegetsAStarbuc
    0x0030:  6b73 6361 7264                           kscard

 

And there it is.  An ICMP echo request that says the first to DM him (via twitter) gets a Starbucks card.  So, my response would have been to take the payload and run it through hping3 to create an echo response packet (or maybe just change the ICMP type, that would have been even simpler).  Of course, I don't drink coffee, but I suppose my daughter could have used the card.  It turns out that (hping3) is how Chris created the original packet anyway, so he probably would have enjoyed getting an echo reply back as the response.  Anyway, he posted about his challenge on his blog, you can find it here: http://ismellpackets.wordpress.com/2009/05/06/packet-challenge/

Keywords: packets
2 comment(s)

Botnet hijacking reveals 70GB of stolen data

Published: 2009-05-07
Last Updated: 2009-05-07 23:47:24 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Thanks to our reader Crill today.  He gave us a heads up on an interesting research project recently conducted at a large university.

newsfeedresearcher.com/data/articles_t19/botnet-torpig-researchers.html

It appears that the university infiltrated a Torpig botnet and for 10 days they watched the botnet activity they discovered:

"During the ten days in which they had control of the botnet, the researchers made some interesting observations. Although they recorded more than 1.2 million IP addresses for infected systems, on the basis of unique bot IDs recorded, this turned out to represent only 180,000 systems."

And what did they find:

"Over these ten days Torpig sent large volumes of data to the researchers, including details of 8310 accounts at 410 different financial institutions."

Check out the link for the full report of what they found and more interesting facts. The scary thing is that this is just one of many of these types of botnet's wrecking havoc on the Internet everyday.  I know....  I deal with them continuously due to customer's with infected machines sending massive amounts of spam.  Shut one down and another takes its place.  The joy of the Internet. 

 

 

Keywords: botnet
0 comment(s)
Diary Archives