Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Periodic reminder of best practices for cleaning up after infection.

Published: 2006-01-20
Last Updated: 2006-01-21 05:09:28 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Well, it was a rather quiet day at the ol' Storm Center today.  We did, however, get an e-mail similar to ones we get rather frequently, that is probably worth talking about again.  This e-mail was from an admin who had 50 machines infected with a particularly nasty worm and they were told by their A/V vendor that they didn't have a way to clean out the infection.  We've written on the subject on multiple occasions in the past, so I won't go over all of the rationale again (see the links below).  The short answer, though, is that once you've been infected by malware that installs a backdoor or connects to a botnet, simply cleaning up the initial infection (and the hole through which the infection occured) isn't sufficient because you can't be sure what secondary infections you may also have.  Although most people don't want to hear it, at this point your best bet is to nuke the machine and reinstall (and patch) from scratch.

Here are some of the stories we did on the subject in the past.

http://isc.sans.org/diary.php?date=2004-05-16 by Pat Nolan and
http://isc.sans.org/diary.php?date=2004-05-03 by yours truly.

------------------------
Jim Clausing, jclausing ++at++ isc.sans.org
Keywords:
0 comment(s)

More on Blackmal/Grew/Nyxem (file deletion payload)

Published: 2006-01-20
Last Updated: 2006-01-21 05:06:05 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Following up on Bojan's story from Wednesday, F-Secure posted a bulletin today with their analysis of the current variant.  The interesting (or is it scary?) part of this analysis is the revelation that on the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.  They also report that based on a counter on a web page that the worm updates, there are in excess of 400,000 machines infected at this time.

-----------------
Jim Clausing, jclausing /at/ isc.sans.org
Keywords:
0 comment(s)

Symbian operating system - Nokia series 60 mobile phones - 3 new Trojans

Published: 2006-01-20
Last Updated: 2006-01-20 14:39:15 UTC
by Deborah Hale (Version: 2)
0 comment(s)
For those of you with the Nokia Series 60 phones I have some bad news.  Symantec today has posted 3 new trojans identified that impact your operating system. 

SymbOS.Sendtool.A -  The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Pbstealer.D - The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

While looking at this information - I discovered that this particular phone OS has been hit several times in the last 2 years by trojan like programs.  I can't find anything on the Nokia site that indicates that a patch is available.  I wonder if it isn't time for Nokia to take a serious look at fixing the problem?  Especially since one of these new ones allows someone with another Bluetooth device to steal the user's information. 

What about it Nokia?  For those of you that own these devices, what are you doing to protect your phone?


Updating Information on this item:

We received an email today from CJ with some really good information.  I am including the information in it's entirety.  CJ has already dealt with this issue and can lend some valuable assistance.

CJ's E-Mail

Nokia does put out updates to the Symbian OS however, at this time, to get the upgrades in the US you have to either send the phone back to the main Service Center or find an authorized Dealer/Service Center. It is not as easily said as done especially in my case. I have the Nokia 9300 and it was not sold in the US until recently. Because of this the Dealer Service centers in the Boston and NYC areas would not handle it. I did find a web site that helps with finding Service/Dealers that can upgrade you however not under the Nokia warranty. (In other words they charge a fee.) It is http://www dot howardforums dot com/. Here you can get help/information on any mobile phone ranging from normal operation to unlocking. Also, for the Nokia phones, I have found that Warlox Wireless Accessories (www dot iunlock dot com) does very reliable work. Outside the US, it is a different case as most Dealers are registered Service Centers and do all the warranty work in their shops.

Another quick note. When talking to Nokia recently, the tech related to me that Nokia will be eventually enabling their Nokia PC Suite to do the upgrades on their higher end phones. He did not say when.

Regards,

CJ


Keywords:
0 comment(s)
Diary Archives