DommJuice variant / AOL IM issue / ISC webcast / Microsoft Patches

Published: 2004-02-11
Last Updated: 2004-02-11 21:57:32 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
DoomJuice New Variant



A new variant of DoomJuice was discovered today. According the F-secure analysis, this new variant also targets Microsoft website. "This new variant tries to improve the Distributed Denial-of-Service attack on www.microsoft.com".
This time it will sets random HTTP headers:

User-Agent: Mozilla/4.0

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0)

Accept-Encoding: gzip, deflate

Accept-Language: en

Accept-Language: en-us




A packet capture sample, by the ISC Handler Lenny Zeltser:

02/10-23:17:22.587900 192.168.232.136:2875 -> 192.168.232.135:80

TCP TTL:128 TOS:0x0 ID:9216 IpLen:20 DgmLen:243 DF

***AP*** Seq: 0x7DC55 Ack: 0x7CA887AD Win: 0x2238 TcpLen: 20

47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1..

41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 Accept: */*..Acc

65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E ept-Language: en

2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F -us..Accept-Enco

64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C ding: gzip, defl

61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ate..User-Agent:

20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co

6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible; MSIE 6

2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0; Windows NT 5

2E 31 29 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 6D .1)..Host: www.m

69 63 72 6F 73 6F 66 74 2E 63 6F 6D 3A 38 30 0D icrosoft.com:80.

0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee

70 2D 41 6C 69 76 65 0D 0A 0D 0A p-Alive....




According Lenny, the new DoomJuice uses a different file name when copying itself locally,and a different registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\SYSTEM\regedit.exe

Note that the real Windows-supplied regedit.exe is in C:\WINDOWS, and is not
overwritten by the new DoomJuice.


The attack against Microsoft website is set to start after 12th of February.


Reference: http://www.f-secure.com/v-descs/doomjuiceb.shtml




ISC Webcast



Today´s ISC Webcast, the Monthly Threat Update, which covered some this month´s issues like MyDoom, Microsoft Patches and the Monthly relevant numbers, will be soon available at http://www.sans.org/webcasts/



Mailbag


Some users are asking us about a possible DDoS at Microsoft Windows Update website due to the slow access to it.
There is no indication of such activity, but this symptom could be a direct result of the Microsoft Security Bulletins released yesterday with three new updates.


Reference: http://isc.sans.org/diary.html?date=2004-02-10



AOL IM pseudo-virus-adware



We are receiving some reports about the called "IM virus". As included in yesterdays diary (http://isc.sans.org/diary.html?date=2004-02-10).


In short, a link is received by the user (www.wgutv.com/osama_capture.php?XxCC), and when he/she clicks in the URL, it will be directed to the website, and be prompted to install a "News Player" which will also install some tools in the computer and also send the same alerts to your buddy list.



From this software Terms and Privacy Policy, you can find the following disclaimer:


/*

Services; Modifications to Your Instant Messaging Client.
The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or ?buddy? list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the ?buddylinks.net? entry in your ?Start Menu?, selecting the ?buddylinks.net Configuration? item, and unchecking the appropriate option. You may also refer to PSD Tools? website at http://www.psdtools.com for an uninstaller.

*/



The installer can not be found at http://www.psdtools.com , but in http://www.buddylinks.net/support.php page.


So, as best practices, be careful when allowing anything to be installed in your computer.
Microsoft Patches


Just a note to remember about the just released Microsoft Patches and posted in yesterday's diary.

Reference: http://isc.sans.org/diary.html?date=2004-02-10

---------------------------------------------------

Handler on duty: Pedro Bueno
Keywords:
0 comment(s)

Comments


Diary Archives