Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trends in malware installers, Oddbob is back, .ANI file followup, and SMTP oddities redux.

Published: 2005-01-13
Last Updated: 2005-01-15 02:57:40 UTC
by Erik Fichtner (Version: 1)
0 comment(s)
Auto-executing spam installers via email



Jim Slora reported on the Intrusions list that malware installer
emails are now making use of an OBJECT tag vulnerability in MS Outlook in the
event that the malicious email is forwarded to another person and the initial
recipient uses Microsoft Word as their
editor. http://secunia.com/advisories/12041/ and http://lists.sans.org/pipermail/intrusions/2005-January/008734.html



The malware will then be executed without warning (even on XP SP2) in the
local computer's trusted zone. There currently is no patch for this issue, so
please don't use Word as your email editor if you like to forward messages to
others!



Dipnet/Oddbob on the move again



We've received a number of reports of increased traffic on TCP ports 10758,
11768, and 15118, where the remote system would send a magic sequence of
"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123" if it managed to connect to any
of those ports. The folks at LURHQ had a nice write-up of the malware
at http://www.lurhq.com/dipnet.html



.ANI file followup



Earlier this morning, VirusTotal http://www.virustotal.com/ showed that the
number one submission to their site was "Exploit.Win32.IMG-ANI", and it still
barely scrapes in at #10 on the seven day trend. We hope that this is simply
all the friends that Tom made yesterday testing their PoC's against Antivirus
products, but we can't be completely certain of that.



We encourage everyone to do what they can to block .ANI files from entering
their networks, and to make sure they've got the MS05-002 patch applied.



SMTP = Strange Mail Transfer Protocol ?



One of our readers mentioned that they had seen some strange HTTP traffic to
their SMTP mail server on port 25 coming from a number of remote IP addresses.
While it could just be a brain-damaged vulnerability assessment tool running
amok; we all remember the incidents with IRC traffic being sent to SMTP
servers, and we're wondering if anyone else has seen any out of place HTTP
traffic to their mail servers in the past few days.

Keywords:
0 comment(s)
Diary Archives