New MyDoom VariationIt has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Below is an example of the body Dear user <insert email address>, For more information on this variation, please see: <A href="http://secunia.com/virus_information/15463/mydoom.bb/">http://secunia.com/virus_information/15463/mydoom.bb/ <A href="http://vil.nai.com/vil/content/v_131856.htm">http://vil.nai.com/vil/content/v_131856.htm <A href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB <A href="http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html">http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html <A href="http://www.sophos.com/virusinfo/analyses/w32mydoomo.html">http://www.sophos.com/virusinfo/analyses/w32mydoomo.html SHA1Reports of the demise of the SHA1 hashing algorithm are abound today. Little is actually known about the attack just that a paper is being circulated and it is "bad". Here are some realistic actions that can be taken now while this begins to reveal itself: - Inventory where SHA1 is in use in your organization - Determine which uses may be at risk. Early reports say that the HMAC function is not affected so your VPNS and SSL are in good stead. - Check for measures that can be used in parallel with SHA1 to protect valuable data (such as combining MD5 with SHA1 side by side.) - Be prepared to update or replace systems using (dependant on) SHA1 when it becomes available. (In many cases this means waiting on a vendor). That said the world is not ending today. Your applications that depend on SHA1 (or MD5 for that matter) are still going to work and protect your data for the most part. By employing the principles of defense in depth and practicing due diligence we will find most of our cryptographic needs will be met until a vetted replacement for SHA1 is available. It will be interesting to see how NIST and other government agencies (both US and abroad) handle this. We will update the diary as more information becomes available. ports 137 and 445Ports 137 and 445 scans are on the rise. There are also some reports of vast scanning on port 1026. These should all be blocked at the firewall of course. They may be related in part to Symantec's release of new information on spybot/agobot/phatbot variants. http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.jpb.html Thanks Deb! port 41523We have had one submission of packets for port 41523, thank you. We need some more. If anyone can get a complete 3 way handshake that would really help us out. One useful technique that I am running is with netcat: $nc -l -p 41523 > port41523.txt I also have tcpdump running at the same time. I am not seeing any of this traffic in my neck of the Internet though. Dan Goldberg MADJiC Consulting, Inc. dan at madjic dot net |
Dan 42 Posts Feb 17th 2005 |
Thread locked Subscribe |
Feb 17th 2005 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!