Diary Updates- Got WINS Packets - Brazil Welcomes You - Framed! - Mailbag

Published: 2005-01-04
Last Updated: 2005-01-05 02:05:50 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Keeping You Updated More Frequently

At the ISC, we recognize that security information changes often and those changes need to be communicated quickly. That need is balanced by the ability of our volunteer staff to identify, verify and communicate the information during what are often hectic work days.
Beginning today, and based on the availability of the Handler On Duty, we're attempting to update the diary as frequently as events warrant during the day.

Give us a few days or even a week and then look for a new poll. Until then, as always, feedback is welcome.


Update: 01:52 UTC - New Trojan Making the Rounds

An alert reader (thanks Mike!) forwarded a rather poorly crafted phishing attempt. Attached to the mail, is a zip file containing setup.exe. According to virustotal.com, setup.exe is detected as ..
Antivirus Version Update Result
AntiVir 6.29.0.5 01.04.2005 -
BitDefender 7.0 01.04.2005 -
ClamAV devel-20041205 01.03.2005 -
DrWeb 4.32b 01.04.2005 -
eTrust-Iris 7.1.194.0 01.05.2005 -
eTrust-Vet 11.7.0.0 01.04.2005 -
F-Prot 3.16a 01.01.2005 -
Kaspersky 4.0.2.24 01.05.2005 Trojan-Spy.Win32.Goldun.a
NOD32v2 1.964 01.04.2005 -
Norman 5.70.10 12.31.2005 -
Panda 8.02.00 01.04.2005 Suspect File
Sybari 7.5.1314 01.05.2005 Trojan-Spy.Win32.Goldun.a
Symantec 8.0 01.04.2005 -

Here is the text of the e-mail:
Dear user of E-gold. By the reason that the last time the number of complaints of unapproved removal of money resources became more often, we ask you to install the following service pack on your computer. This renovation blocks all known Trojan modules which allow removal of your money without your permission. - In case of losing money from your account, E-gold *DOES NOT* take any responsibility if this service pack wasn't installed on your computer. - The installation file is on the archive attached to this letter. -------------------------------------------------- * * * Read/Save/Print this email message * * * -------------------------------------------------- Important information about your e-gold account: - It's OK to tell others your e-gold account number! Other e-gold Users need your e-gold account number in order to Spend e-gold to you. So don't hesitate to display it on your web page, your business cards, or your e-mail signature file. - However, *DO NOT* reveal your passphrase to others!!! Anybody with knowledge of both your e-gold account number and your e-gold passphrase has complete access to your e-gold account; therefore, do not reveal your e-gold account passphrase to others. *NEVER* enter your passphrase on any website other than the www.e-gold.com web site. e-gold Resource Links: - e-gold Account User Agreement: Ever used a currency with a contract at all, let alone one that clearly outlined the Issuer's obligations to you? Well, you are now! Truly a "must read" for any e-gold User: http://www.e-gold.com/unsecure/[url_removed] - e-gold Incentive Program Information: Spread the word that better money has arrived and get paid some of it for doing so (please don't spam): http://www.e-gold.com/unsecure/[url_removed] - e-gold brochure: Having trouble coming up with the words? Use these (we do!): http://www.e-gold.com/unsecure/[url_removed] - e-gold Directory: Whether you want to obtain some e-gold or part with some, we have some links to get you started: http://www.e-gold.com/unsecure/[url_removed] --------------------------------------------- Thank you for using e-gold! --------------------------------------------- Samples have been submitted to the AV vendors.


WINS Server Vulnerability (Blatantly stolen from Scott's diary entry yesterday)

As many of you are aware, the WINS server vulnerability (MS04-045) appears to be getting exploited. The ISC, and other organizations have seen a marked increase in the probes directed at WINS services (42/tcp) since December 31, 2004. The Research and Education Networking ISAC has graphs showing marked increases in these probes on Internet2 via the Abilene network netflows.

So, if you have not patched your WINS servers in respective companies or campuses, beware. Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. SO please block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this over the holidays.

If any of you have packet captures of this activity, please do not hesitate to send it on to the ISC for analysis.


A Bit Too Friendly of a Welcome For My Taste(thanks to Pat Nolan)

Certain URLs at brazilwelcomesyou.com have been handing out malware. Be warned that following a link to brazilwelcomesyou.com may cause malware to be downloaded to your system without your knowledge. But you're not worried, you don't use IE, right? And if you do, you're fully patched, right?

Here's the report we received from a source who wishes to remain anonymous.

We have managed to come across a well known site "classmates.com" than seems to have had one of it's banner hosting companies "brazilwelcomesyou.com" compromised. The details are as follows:

1) when using classmates.com several banner appear once logged one of these banners is advertising coming to brazil for a vacation.

2) When you get that certain browser ad from "brazilwelcomesyou.com" it does a quick browser check and if you are running IE. If you are found to be running IE then it adds a javascript "defer" script to the page that loads the ms-its exploit.

3) if you are vulnerable to the exploit then it then downloads a .cab file that runs on the victim machine.
We also know that if you try to view the image page with firefox or opera the extra code won't appear on the brazil site. Also if you try to pull down with lynx or wget the [IP Removed] IP's "counter.js" file the javascript bombs with a variable equaling 22.

brazilwelcomsyou.com has been made aware of the situation.


It's Not Us

We've recieved quite a few reports from people claiming that we were trying to break into thier systems using Back Orifice.

When we checked it out, it was determined that the source IP address (which is in a net block we own) was spoofed.

From the Mailbag

Subject: Overrated Security Topics

IMHO, all of the listed topics are real, or potential, threats.

Looking at the poll results, YES, cyber-terrorism is probably the currently least threatening.

BUT, until 9/11/2001, Arab Terrorism was a joke to the western world. The US had TWO movies about the attempted bombings of the World Trade Center in 1993, both of them showed the Arab terrorists as bumbling idiots. They were repeatedly shown on US TV 1993 - 2001, but not after 9/11/2001.

The word "overrated" is kind of frivilous. How about "currently least active" or something similar?

Please don't discount the reality of each of these threats by this poll. With our interconnected systems, cyberterrorism is a very real possibility. If a CT attack takes place, its impact could be much more serious than any of the other topics listed.

-cacroll


I think it's safe to say that we're not discounting the reality of -any- threat. Our intent, is to see what you, our readers see as the "least threatening".

Thanks for the feedback - keep it comming!


isc dot chris at gee mail dot com - Handler On Duty.
Keywords:
0 comment(s)

Comments


Diary Archives