Last Updated: 2006-01-15 03:54:57 UTC
by Johannes Ullrich (Version: 1)
Visiting an IRC server used to control bots, the following message made perfect sense in that respect:
*** Topic for #-sd-bot: $xscan asn139
200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024
The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:
*** Channel Users Topic
*** #help 1 IF YOU ARE HERE ITS
BECAUSE I MIGHT HAVE
INFECTED ONE OF YOUR MACHINES, DONT WORRY
NOTHING IS GONNA BE HARMED
WITH THE DRONES, FOR FURTHER INFORMATION
ON REMOVALS PLS VISIT -
WWW . NORTONANTIVIRUSES . COM -
OR LEAVE A MSG KTHX.
We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.
This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.
This was posted to the 'funsec' list a while ago:
"So he changed his topic:
-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -
WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.
....however, I guess he didn't like the exposure...after a few hours:
-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
-:- BitchX: Servers exhausted. Restarting.
Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':
Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.
Last Updated: 2006-01-14 05:57:28 UTC
by Swa Frantzen (Version: 3)
We got a call from TippingPoint, stating that in their opinion this is not a "DoS", but a "high load" issue.
For more details we'd like to urge customers to contact TippingPoint directly. They are working on a patch and advisory which should be available shortly.
Edit: We've received a report that TippingPoint has now released a patch for this issue. The patch version is TOS 126.96.36.19924.
Last Updated: 2006-01-14 02:11:18 UTC
by Swa Frantzen (Version: 1)
iTunesAccusations of the software's main new feature calling home with track and artist names of the files you play. Now of course that's needed to show related albums for you to buy, but there are a number of questions remaining open. Till then, perhaps it's better not to have the call home feature if you value privacy or just have too many mp3s ...
- Apple howto.
QuickTimeI have the original upgrade myself and no problem so far, but aparantly Apple has recalled it. And they also seem to have published it again. Bottom line: I'm confused. Take care with not updating QuickTime to 7.0.4. as it did patch 8 vulnerabilities. Perhaps that silly joke movie can wait a little longer than getting exploited.
Of course if you produce movies quicktime's functionality might be more important than the security of your browser on the Internet and your risks might be different.
- For general users, I would urge not to downgrade as you'll have the vulnerabilities back. Moreover the problems seem to be not that clear. I'm running the initial Quicktime 7.0.4 uprade and it works just fine.
- Still the uninstaller is here should you not be able to continue without the old version.
Before some think I love Apple for all they do: I don't, but that's another story.