German spam source found, Real services vulnerability

Published: 2004-06-11
Last Updated: 2004-06-12 11:06:28 UTC
by Dan Goldberg (Version: 1)
0 comment(s)
We have had one report of a user receiving traffic on multicast addresses
244.1.0.0 with a negative source port and a destination port of 4. Some
firewalls translate the source port to 0. We are interested in any one else
seeing similar traffic and packet traces.

The source of German right wing spam making its round on the Internet
the last few days has been identified as a variant of the sober worm. It
is identified by a file called datacrypt.exe and is launched in the registry
HKLM/software/microsoft/windows/currentversion/run/ The infection
method is the same as Sober.G. On start up it connects to a time server
in Berlin and then begins to send email messages.

Reports are being received relating to vulnerabilities in Realplayer services.
You may wish to block the ports listed below that the realplayer
services uses on firewalls. That will not completely mitigate this
vulnerability as it could be triggered by downloading (via http,ftp ...)
a realplayer movie and running it locally. I would recommend until
realplayer is patched on any vulnerable system that you disable
realplayer as the default application for opening .RA, .RM, .RV or
.RMJ. In XP you can do that by browsing to your c: drive and selecting a
folder then from the tool bar select folder options and file types. Look
for files opened by realplayer and change those to be opened by another
application or to not have a default application.

Well Known ports used by realservers.

TCP port 7070 for connecting to pre-G2 RealServers
TCP port 554 and 7070 for connecting to G2 RealServers
UDP ports 6970 - 7170 (inclusive) for incoming traffic only

Keywords:
0 comment(s)

Comments


Diary Archives