Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Don's Halloween Trick

Published: 2005-10-30
Last Updated: 2005-10-30 21:15:56 UTC
by donald smith (Version: 1)
0 comment(s)
The links in my diary entries are not clickable. I am trying to make a point. If you want visit the urls in question either type the url or cut and paste it into a browser. 
Keywords:
0 comment(s)

SANS offering TREATS too.

Published: 2005-10-30
Last Updated: 2005-10-30 18:55:30 UTC
by donald smith (Version: 1)
0 comment(s)
Would you like access to next SANS Security Career survey results?
Survey: Information Security Career Advancement Survey now available.
Complete the survey by November 10 to receive a copy of the results.
http://survey.sans.org/phpsurveyor/index.php?sid=1

Keywords:
0 comment(s)

Sweet Treats from the Honeynet group.

Published: 2005-10-30
Last Updated: 2005-10-30 15:41:19 UTC
by donald smith (Version: 1)
0 comment(s)
The Honeynet Project and Research Alliance are pleased to announce the
release of mwcollect v3.0.0 on http://www.mwcollect.org/ .

Mwcollect is a distributed malware collector network. A mwcollect network is composed of 1 or more mwcollectd sensors; an optional database to store collected binaries and optional redirect servers that send specific ports towards the mwcollectd sensors. Mwcollectd sensors simulate vulnerable services to spreading malware and thus that malware tries to exploit these services. The mwcollectd daemon then parses the exploit packets, searches them for the shellcode, interprets the shellcode, and then takes further actions to download the malware. The malware can then be submitted into a database or stored on the local filesystem. The redirect servers act as NATTed gateways to forward specific ports to the mwcollectd servers. This provides greater IP address space coverage with fewer full-blown mwcollectd servers.

What's new?
The core has been completely rewritten. It is now even more modularized
and has proven to be very stable. Integration of libCURL for http/ftp
downloads is now threaded and therefore does not result in an increased
CPU usage. Mwcollect v3.0.0 is much more suited for future extensions
and is the important step from the proof of concept that v2.x.x was to a
real mature product. Mwcollect is now licensed under the GPL, (c) by
Honeynet Project.

Obtaining mwcollect
You can download a compressed .tar.bz2 source package from
http://download.mwcollect.org/ .

Keywords:
0 comment(s)

Microsoft attacks Zombi Masters.

Published: 2005-10-30
Last Updated: 2005-10-30 06:43:57 UTC
by donald smith (Version: 1)
0 comment(s)
If your an average user something like 50% of the spam you get comes from an infected home computer that has been turned into a spam zombie. These spam zombie's are used by spammers to send spam without revealing their actual network address. The spammers provide the spam content to the zombies and the zombies send the spam to the victims.
 
From http://spamkings.oreilly.com/archives/2005/10/microsofts_decoy_zombie.html
Microsoft said it has filed "John Doe" lawsuits against the operators of 13 spam organizations that use illegal "zombie" computers to send their spam. The company held a press conference today with officials from the Federal Trade Commission to announce the lawsuits, filed in Washington State's King Country court on August 17.
From an interview with Tim Cranton http://spamkings.oreilly.com/cranton.mp3

Microsoft has taken a new approach to security in particular in the enforcement side. They took a clean computer. Infected it with a common malicious code. That code turned the computer into a Spam zombie. A Spam zombie is a computer that is connected to the Internet that has been infected and checks in with the zombie controllers to let them tell it what to do. Microsoft documented 5 Million connections used to send over 18 million Spam messages in less then 3 weeks. This was just one computer. There are reported to be thousands of Spam zombies out there. Microsoft cordoned their Spam zombie off the net so it could not be used to actually send the Spam. Microsoft filed a lawsuit and contacted ISP's to try to discover who is really sending the Spam.

The SANS news bites letter has additional information on this.
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=48
 
Keywords:
0 comment(s)

Reminder: Daylight Savings Ends Sunday At 02:00

Published: 2005-10-30
Last Updated: 2005-10-30 02:15:08 UTC
by David Goldsmith (Version: 1)
0 comment(s)
A reminder for everyone in the US that Daylight Savings ends tonight (or early tomorrow morning -- depending how late you stay up ;) ) at 02:00 AM.  Remember to set your clocks back.
Keywords:
0 comment(s)
Diary Archives