Last Updated: 2005-12-17 18:09:03 UTC
by Kevin Liston (Version: 1)
Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up. Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.) New versions with new distribution points, and signature-evasion changes continue to come out. Before you ask: "which ones don't detect it?" Right now, it's most of them. In a few hours, I hope that list to be much shorter.
It would be simply swell if the AV developers would write sigs for the samples that we're sending them. I know it's a weekend... but I'm working.
So, why is Dasher "finding-legs?" or why is it successful?
To answer that, we have to ask Microsoft: why are services listening on ephemeral ports? Or, why are some filtering/firewall strategies blocking only 1024 and below?
Overall, the response procedure appears to be working. The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized. Everything went according to plan-- just not quickly as I hoped.
Now, I'm waiting for Prancer.