Administrata; MS05-026 exploits in the field? No, not really; OpenRBL ist Kaput; Passive Reconnaissance and the Disaster Response threat-space; mod_jrun exploit sweep

Published: 2005-06-20
Last Updated: 2005-06-20 23:10:56 UTC
by Kevin Liston (Version: 1)
0 comment(s)


This is the after-lunch update, I usually like to have a morning, afternoon, and closing commentary updates, but wanted to let Lorna?s fine overview on the risks of moving and Identity Theft get a bit more eye-ball time. One should go back and read the weekend?s Diaries as a part of their Monday morning exercises.

MS05-026 exploits in the field?

The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it?s actually MS05-001 as we see below.) A spam message was blasted out to potential ?customers,? including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) ( HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result

ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol

eTrust-Iris 06.19.2005 HTML/HelpControl!Exploit!Trojan

eTrust-Vet 06.20.2005 HTML.HelpControl!exploit

Fortinet 06.20.2005 VBS/Phel.A-trM

Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan

The following AV tools detect the Trojan dropped:

Antivirus Version Update Result

AntiVir 06.20.2005 BDS/Haxdoor.CW

Avira 06.20.2005 BDS/Haxdoor.CW

Fortinet 06.20.2005 W32/Haxdor.3048-tr

Kaspersky 06.20.2005

McAfee 4517 06.20.2005 BackDoor-BAC.gen.b

NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor

Sybari 7.5.1314 06.20.2005

Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D

TheHacker 06.20.2005 Backdoor/

VBA32 3.10.3 06.20.2005

I?d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.

Update: If one were to do one?s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to:
Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)

OpenRBL ist Kaput

Visitors to http::// are greeted with a message reporting the demise of this free service. They are reporting that one can find similar services from and

Passive Reconnaissance and the Disaster Response Threat-space

While shopping for a gift for my old man last week, my attention was grabbed by Michal Zalewski?s "Silence on the Wire: a Field guide to Passive Reconnaissance and Indirect Attacks". From a simple flip through it looks like some though-provoking chapters are in there. I picked up a copy?because I can?t resist another book to put on the bookshelf.

Recently, I participated in a disaster response drill with the State and Local Governments simulating a mass casualty accident. While managing my other duties in the drill, I took the opportunity to set up some passive sensors in the response centers to see what a potential attacker could pick-up on when a massive group of first- and second-responders converge on a disaster scene.

Remember to have a nice solstice, wether it be winter or summer in your area.
Remember to send your kind comments to:

Kevin Liston

There were the expected open 802.11x WAPs, but I was pleased to not see a plethora of wide open bluetooth devices full of juicy government contact numbers. This may be simply been caused by a lack of funds by said Governments to equip their staff with spiffy new cell phones though.

Mod_jrun exploits spotted

Ben, a reader, has spotted an up-tick in exploit attempts against mod_jrun on his servers.

And as always, make sure you?ve patched Macromedia Jrun

Solstice Wishes

Remember to have a nice solstice, be it winter or summer in your area!


Kevin Liston
0 comment(s)


Diary Archives