03/09 Webcast Update; Possible Adware/Spyware Infection Via Worm; The Pain of Dealing With IRCBot's

Published: 2005-03-10
Last Updated: 2005-03-11 04:07:18 UTC
by Deborah Hale (Version: 1)
0 comment(s)
03/09 - ISC/SANS Webcast Update

In follow-up to Wednesday's Webcast our respected and fearless leader Johannes, has asked me to post the following links for your review. As a good little "volunteer worker bee", I comply. And so here are the links.






Possible Adware/Spyware Infection Via Worm

The Handlers recieved an email today from one of our faithful followers. It was of great interest to me because what Karl and his network people (at an "EDU") are seeing is very similar to what I have been seeing (at an "EDU") as well. I am not sure if it is only the EDU folks seeing this or if we are the only ones that are talking about it. Anyway - here is an excerpt from his email. (Thanks Karl for giving your permission for me to share this with our readers).
Excerpt from Karl's email:
We apparently have a worm on our network that downloads a bunch of adware
and spyware on our computers immediately after infecting them. The worm
seems to be controlled from the site dust.page.us. We have blocked
communications to this site through the firewall and the list of
computers infected with it does not seem to be growing since we blocked the site.
The worm seems to spread through a Windows RPC buffer overflow vulnerability.
Once it executes the buffer overflow, it downloads a file called dust.zip
from dust.page.us. It is infecting workstations with WinXP SP1.
If there is anyone else that is seeing this I would be really interested in hearing about it. I would like to know if anyone outside of the Educational world is experiencing similar infections. If you can (will) share your story I would really like to hear about it.

The Pain of Dealing With IRCBot's

This has definitely been a stressful day for me. I have been following the trail of an IRCBot. It appears at this point that the entry point or "Open Backdoor" was an installation of Wild Tangent Game Control on one of the machines in a "large" network. This particular situation was tracked down by examining Sonicwall Log files and studying the traffic going to and fro. It was unusual ICMP traffic that first caught my attention. I could see that we had some computers connecting to an IP address that led to a website that says it is in Harrisburg PA. The website "screams rookie". It is by far the most unsophisticated that I have seen in a long time. It was extremely obvious that this was not a website that had anything to offer computers in our network. We could not figure out where the computer on the inside of our network was located (not a name that we recognized) so we disabled the internal IP address in and out. We hoped that this would prompt a call from our remote location saying something was wrong with a computer. Sure enough it did. We were able to locate the device and take a look at what was going on. This little fellow had a live IRCBot connection - Wild Tangent Game Control and some music downloader junk on it. We cleaned up the mess, removed all of the unauthorized programs, installed the anti-virus program and sat back and watched the fun. Didn't take long after we brought the computer back online that we started seeing other machines trying to connect. This trail lead us to an additional 6 computers within the facility that were attempting to connect. All 6 machines were taken off-line and are being analyzed to determine what is installed that is trying to "call home".

I find it interesting and intriquing to see how quickly these little fellows populate and infect a network. I am also amazed at how sneaky these things can be. If only the creators of these little worms, parasites and viruses would use their creative spirits for good instead of evil think about what a wonderful Internet we could create.

Oh what a wonderful dream that is. Until then, I and my fellow Handlers will continue to fight the good fight and keep you informed.

For more valuable information about what you can do to protect your network check out the resources at SANS Institute. For lots of valuable information look at SANS Computer Security Newsletters and Digests. Enjoy.

I now turn the Net over to the only other female Handler. Lorna - It is all yours. Have a goodnight and keep the net safe.

Deb Hale

Handler On Duty

0 comment(s)


Diary Archives