Port 80 and 445 activity
Dshield showed a huge spike in port 80 and 445 traffic on Saturday which appears to be slowing down again. This may have been due to scanning for (or actual denial of service attempts for) the MS04-007 vulnerability.
From the mailbag
An e-mail message making the rounds claims that the recipient is under "police investigation" and gives a link to follow for more information. This link downloads a Trojan onto the user's computer. The site (federalpolice.com) is still live at the time of this writing.
From the mailbag 2
An individual contacted the handlers asking whether or not they should call in their admin staff over the (holiday in the US) weekend to have them apply the MS04-007 patches. There are no known worms exploiting this vulnerability at this time (though one is probably only days away) and the exploit released yesterday was "only" a denial of service. Given that most organizations will block the ports used in this exploit at their firewalls, the risk is mostly from insiders. On the other hand, remember that many organizations have been hit hard by the last few significant worms even though their perimeters were reasonably secure when employees brought laptops that had been infected at home into work and plugged into company networks. Important servers should be patched as soon as possible and workstations and laptops should not be far behind. Each organization needs to do the risk analysis for itself (but the handler-on-duty's team was patching over the weekend).
---Jim ClausingI will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS New York City 2019
Feb 16th 2004
1 decade ago