Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: On Dasher - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
On Dasher

Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up.  Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.)  New versions with new distribution points, and signature-evasion changes continue to come out.  Before you ask: "which ones don't detect it?"  Right now, it's most of them.  In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them.  I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful? 

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports?  Or, why are some filtering/firewall strategies blocking only 1024 and below?


Overall, the response procedure appears to be working.  The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized.  Everything went according to plan-- just not quickly as I hoped.

Now, I'm waiting for Prancer.

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!