Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - ms08-067 exploitation by 61.218.147.66 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

ms08-067 exploitation by 61.218.147.66

Published: 2008-11-05
Last Updated: 2008-11-05 15:31:35 UTC
by donald smith (Version: 1)
0 comment(s)

Tillmann at mwcollect.org wrote in with a sample ms08-067 analysis.

“we've caught an MS08-067 exploitation attempt and provide the
trace and a brief analysis here: http://honeytrap.mwcollect.org/msexploit  “

The analysis is good. They have sample packets of the exploit and the call back shell. They show an example of libemu’s sctest. They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended.
 UPDATE:
Emerging Threats has released signature's to catch trojan checkin and worm traffic outbound.

2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules)
2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules)
http://doc.emergingthreats.net/bin/view/Main/2008737
http://doc.emergingthreats.net/bin/view/Main/2008739
Joel covered Sourcefire's signatures and other details related to this activity in his diary here:
http://isc.sans.org/diary.html?storyid=5275

Keywords:
0 comment(s)
Diary Archives