Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Student mules, More database holes, Microsoft spyware beta

Published: 2005-01-06
Last Updated: 2005-01-08 02:13:06 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)
Net fraud gang recruits students to launder money

Students are being paid to collect money that was stolen from others using viruses or trojans to steal their account info.
http://australianit.news.com.au/articles/0,7204,11865688%5E15318%5E%5Enbv%5E,00.html

Microsoft news of the day

Microsoft has released the beta of their new spyware... er, make that spyware removal tool. It appears to be very similar (not surprising) to the GIANT product that they just purchased. We have heard some reports of false positives on things like WinPcap.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

MS04-011 worm has been seen

Trend Micro reports on a worm that is taking advantage of the MS04-011 vulnerability. If you haven't patched this yet, you should be ashamed of yourself. Go patch right away.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL_LSASSSBA.A&VSect=T

Update on WINS IDS detection

Snort successfully detects the WINS exploits being seen when using the Sourcefire rules. However, it must be configured with stream4_reassemble to reassemble traffic from the client and you must explicitly add port 42 to the list of reassembled ports.
There are actually a number of signatures that don't work without reassembly turned on, if you aren't doing it now you might want to check your config and see which sigs are missing as a result.

SQL Injection Worm example

For those who are interested in learning more about worms that can spread via SQL Injection, you should check out Mike Murr's GCIH practical http://www.giac.org/practical/GCIH/Michael_Murr_GCIH.pdf

Dave Litchfield has published a number of vulnerabilities for DB2

http://www.nextgenss.com/advisory.htm
http://www.ngssoftware.com/advisories/db205012005A.txt
http://www.ngssoftware.com/advisories/db205012005B.txt
http://www.ngssoftware.com/advisories/db205012005C.txt
http://www.ngssoftware.com/advisories/db205012005D.txt
http://www.ngssoftware.com/advisories/db205012005E.txt
http://www.ngssoftware.com/advisories/db205012005F.txt
http://www.ngssoftware.com/advisories/db205012005G.txt
http://www.ngssoftware.com/advisories/db205012005H.txt
http://www.ngssoftware.com/advisories/db205012005I.txt

Odd port 53/TCP traffic

We have gotten a report of odd port 53/TCP traffic. If anyone else has seen this, please let us know.
Brian King reported:
"I first noticed them because they were setting off my SNORT signature #526 (BAD-TRAFFIC data in TCP SYN packet) http://www.snort.org/snort-db/sid.html?sid=526. This has been going on since the second week in December with a short Xmas break.
They all:
have my MYIPADDRESS:53 as destination (there is no nameserver there)
All have window size of 2048
All have TTL of 47-49
All have IP ID of 1-3
All have source ports 1027-2554
All packets are 64 bytes in size
There are many different source IP addresses
All source IP addresses except for 1 are administered by Savvis Communications
The other IP is admined by UUNet global hosting ( http://www.ripe.net/whois?form_type=simple&full_query_string=&searchtext=194.129.79.121 )
All TCP Packets have empty data
It always come in waves of 12 packets
There are always 2 to 3 waves that are 3-4 hours apart
Each wave has 3 packets with a source address of 194.129.79.121."

USA National Response Plan

I still think "run in circles, scream and shout" is the best response but, if you're interested, this is the plan for the United States
"The National Response Plan establishes a comprehensive all-hazards approach to enhance the ability of the United States to manage domestic incidents."
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0566.xml
http://www.dhs.gov/interweb/assetlibrary/NRP_FullText.pdf
Keywords:
0 comment(s)
Diary Archives