Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MS05-051 (MSDTC) Malware / Port 1025 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS05-051 (MSDTC) Malware / Port 1025
A blog entry over at F-Secure mentions a new piece of malware dubbed "Dasher.A" that is trying to exploit the MS05-051 aka MSDTC vulnerability. The spreading mechanism seems to be very unreliable, but likely explains the surge in Port 1025 traffic we've seen recently . The captured packets look a lot like what the MS05-051 POC exploit posted at would cause.  [Thanks to Juha-Matti and David for reporting this.]

Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure - and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.


385 Posts
ISC Handler
Dec 15th 2005

Sign Up for Free or Log In to start participating in the conversation!