Another Virus, ISC Poll Results, Port 1433 scans

Published: 2004-12-29
Last Updated: 2004-12-30 22:20:29 UTC
by John Bambenek (Version: 1)
0 comment(s)
Update to the virus report below

Looks like the virus below is an old version of Bagle, specifically W32/Bagle.j@MM or W32/Bagle.n@MM which appeared in March of 2004. We are still trying to validate the binary attachment is the same. If anyone has an e-mail attachment that is not detected by existing anti-virus signatures, please send them to us.


http://vil.mcafeesecurity.com/vil/content/v_101071.htm

http://vil.mcafeesecurity.com/vil/content/v_101095.htm


Another Virus (update to the original diary)

We just got a report about a new virus spreading. Like other viruses in the past,
it claims to come from the users ISP. Pretty well done, so you may want to try and filter it, or at least reminder your users not to click.

Sample (the 'ISP.NET' parts will be replaced with the recipients domain name):

(if you can, just block e-mail from 'administrator@yourdomain' at your external email gateway. Typically, if you use such an account, your gateway will not receive email from the outside with that that 'From' address)
From: administration@ISP.NET [mailto:administration@ISP.NET]

Sent: Wednesday, December 29, 2004 10:28 PM

To: user@ISP.NET

Subject: E-mail account disabling warning.
Hello user of ISP.NET e-mail server,
Our main mailing server will be temporary unavaible for next two days,

to continue receiving mail in these days you have to configure our free

auto-forwarding service.
For details see the attach.
Have a good day,

The ISP.NET team http://www.ISP.NET
(spelling of the e-mail is left in its original state. We don't have the attached binary right now. If you have it, send it to us via our contact page http://isc.sans.org/contact.php .

ISC Poll Results

We asked you what the most overrated security topics are and you answered. The top three results were:

Cyberterrorism (37%)

Correct Spelling (18%) - Johannes can no longer be faulted for typo's :)

Phishing (13%)


I certainly agree with cyberterrorism being overrated (though I'd say more overhyped), but phishing in my opinion is still an underrated threat. At least in the US it is, as the few times I dug into some of these phishing scams there was not a small amount of compromised accounts involved. I am surprised by the fact that there hasn't been large scale exploitation, however.

Port 1433 scans

The UNISOG list has had reports of an increase in TCP port 1433 scanning. We haven't seen it, but if you have and have packet captures, please send them along for us to analyze.


ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.




Keywords:
0 comment(s)

Comments


Diary Archives