SANS ISC: New MyDoom Variation; SHA1; an increase in port scanning on ports 137 and 445; port 41523 captures

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

New MyDoom Variation

It has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Below is an example of the body

Dear user <insert email address>,



Your email account has been used to send a huge amount of unsolicited

commercial email messages during this week. We suspect that your

computer was compromised and now contains a hidden proxy server.



We recommend you to follow the instructions in order to keep your

computer safe.



Have a nice day,

<insert domain name> support team.

For more information on this variation, please see:

<A href="http://secunia.com/virus_information/15463/mydoom.bb/">http://secunia.com/virus_information/15463/mydoom.bb/

<A href="http://vil.nai.com/vil/content/v_131856.htm">http://vil.nai.com/vil/content/v_131856.htm

<A href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB

<A href="http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html

<A href="http://www.sophos.com/virusinfo/analyses/w32mydoomo.html">http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

SHA1

Reports of the demise of the SHA1 hashing algorithm are abound today.
Little is actually known about the attack just that a paper is being circulated and it is "bad".

Here are some realistic actions that can be taken now while this begins to reveal itself:
- Inventory where SHA1 is in use in your organization

- Determine which uses may be at risk. Early reports say that the HMAC function is not affected so your VPNS and SSL are in good stead.

- Check for measures that can be used in parallel with SHA1 to protect valuable data (such as combining MD5 with SHA1 side by side.)

- Be prepared to update or replace systems using (dependant on) SHA1 when it becomes available. (In many cases this means waiting on a vendor).


That said the world is not ending today. Your applications that depend on SHA1 (or MD5 for that matter) are still going to work and protect your data for the most part. By employing the principles of defense in depth and practicing due diligence we will find most of our cryptographic needs will be met until a vetted replacement for SHA1 is available.

It will be interesting to see how NIST and other government agencies (both US and abroad) handle this. We will update the diary as more information becomes available.

ports 137 and 445

Ports 137 and 445 scans are on the rise. There are also some reports of vast scanning on port 1026. These should all be blocked at the firewall of course.
They may be related in part to Symantec's release of new information on spybot/agobot/phatbot variants.
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.jpb.html
Thanks Deb!

port 41523

We have had one submission of packets for port 41523, thank you. We need some more. If anyone can get a complete 3 way handshake that would really help us out.
One useful technique that I am running is with netcat:

$nc -l -p 41523 > port41523.txt

I also have tcpdump running at the same time. I am not seeing any of this traffic in my neck of the Internet though.

Dan Goldberg

MADJiC Consulting, Inc.

dan at madjic dot net