Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-17 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Artemis Project's N-Eye

Published: 2005-12-17
Last Updated: 2005-12-17 18:22:12 UTC
by Kevin Liston (Version: 1)
0 comment(s)
While checking out the Chinese Honeynet Project, I happened upon their tool N-Eye:
http://www.honeynet.org.cn/honeyneten/Tool.htm

It looks fun.
Keywords:
0 comment(s)

On Dasher

Published: 2005-12-17
Last Updated: 2005-12-17 18:09:03 UTC
by Kevin Liston (Version: 1)
0 comment(s)

Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up.  Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.)  New versions with new distribution points, and signature-evasion changes continue to come out.  Before you ask: "which ones don't detect it?"  Right now, it's most of them.  In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them.  I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful? 

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports?  Or, why are some filtering/firewall strategies blocking only 1024 and below?


Overall, the response procedure appears to be working.  The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized.  Everything went according to plan-- just not quickly as I hoped.

Now, I'm waiting for Prancer.

Keywords:
0 comment(s)

Visualization of Dasher worm

Published: 2005-12-17
Last Updated: 2005-12-17 05:14:59 UTC
by Kyle Haugsness (Version: 2)
0 comment(s)
The honeynet folks sent us a link to their research on the MSDTC exploit that is attacking TCP port 1025 (the Dasher worms).  This is very interesting stuff, especially if you like statistical analysis:
http://www.philippinehoneynet.org/dataarchive.php?date=2005-12-13

UPDATE: the bandwidth for philippinehoneynet.org has been exceeded.  Does anyone have a mirror to offer?

Keywords:
0 comment(s)
Diary Archives