Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Malware SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
1) One reader has submitted a malware which after running through VirusTotal detected it as a Linux backdoor:
Ikarus    12.10.2005    Backdoor.Perl.Whoredoor.08
Kaspersky    12.10.2005
McAfee    4647    12.09.2005    Linux/BackDoor

2) On another note, Juha-Matti has pointed out an interesting Trojan.Spaxe. The interesting part is that it will display a balloon message, attempting to fake from the Windows Automatic Updates icon on the System Tray, with the following text:

"Your computer is infected!
Windows has detected spyware infection.

It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware."

Clicking on the balloon will result in downloading a file from the Internet.

3) You may have read from news that there will be a Sober worm attack on 5 Jan 06. This is due to the pre-programmed date of current Sober variant to activate on 5 Jan 06. The interesting part is that the Sober variant has the intelligence to create pseudorandom URLs which will change based on date. It also can synchronize the systems via atom clocks so that it does not matter even if the system clock is not correct. F-Secure has come out a list of URLs that you may want to block. You can read the details from F-Secure nice writeup.

[Update to (3)]
On another note, LURHQ has a writeup on the key dates in the various Sober variants. It mentioned that the Sober.Y activation date should be after 5 Jan 06. The logic is "current date > Jan 5" and not "current date == Jan 5". Thanks to Dominic for pointing out. 
Koon Yaw

68 Posts
Dec 10th 2005

Sign Up for Free or Log In to start participating in the conversation!