Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: VBS.Pub Worm, RTT Measurement Probes, ARIN in-addr.arpa, IE Exploits - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VBS.Pub Worm, RTT Measurement Probes, ARIN in-addr.arpa, IE Exploits
VBS.Pub Worm


Symantec is reporting a mass-mailing VBScript worm dubbed "VBS.Pub". While the worm doesn't possess any earth-shattering characteristics to make it a significant propagation threat, it will delete all the files on an infected host if the day is the 6th, 13th, 21st, or 28th.

http://www.sarc.com/avcenter/venc/data/vbs.pub.html



RTT Measurement Probes


One submission reported a probe that had an in-addr.arpa address of "performance-probe.Internap.THIS-IS_HARMLESS-It_is_a_Traceroute_or_Ping_packet.
BGP-route-control.data393.net"

While we don't recommend assuming traffic is harmless just because the DNS name says it is, this particular probe is the likely result of a round-trip-time (RTT) measurement by routing optimization company Internap. Organizations like Internap regularly use ICMP traffic to measure RTT characteristics to best manage customer traffic to avoid congested network access points and is unlikely to be malicious in nature.


ARIN in-addr.arpa


A post on the NANOG list indicates that the American Registry for Internet Numbers (ARIN, www.arin.net) is not providing reverse-lookup forwarding for any networks in the range 206.46.0.0 - 255.255.0.0. A quick "whois -h whois.arin.net 206.46.0.0" indicates this is a correct assessment at the time of this writing.

This issue is problematic for organizations who are blocking SMTP traffic from hosts that do not have matching forward and reverse DNS entries, since it is not currently possible to resolve these addresses from the authoritative source. This may result in the lack of mail delivery from host originating in this address range. This appears to be primarily affecting Verizon customers, who delegate addresses in this range to customers. No word from ARIN on the reason for the outage at this time.

http://www.merit.edu/mail.archives/nanog/msg04861.html



IE Exploits


We have received multiple notices indicating that fully-patched Windows hosts are becoming compromised due to various Internet Explorer flaws, which may be used to turn compromised systems into SPAM relay engines, load popup marketing advertisements, install keystroke loggers and countless other malicious activities. An incomplete list of alternative browsers can be found at http://download.com.com/3150-2356-0.html?tag=dir .



Just a reminder that tomorrow is Terpsichorean-Tuesday, where Microsoft is expected to announce patches to Windows and associated products.


--Joshua Wright/Handler on duty
Joshua

34 Posts

Sign Up for Free or Log In to start participating in the conversation!