Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware Analysis Quiz 7!

Published: 2006-11-03
Last Updated: 2006-11-04 11:11:46 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Well, it is time for another malware analysis quiz! This time, I put a more advanced one, which I hope that you like it!:) Answers should be submitted until November 30th. Check it out right now! (btw, the zip password is 'infected').
0 comment(s), are you awake?

Published: 2006-11-03
Last Updated: 2006-11-03 18:40:22 UTC
by Joel Esler (Version: 3)
0 comment(s)
A reader wrote in and asked us if we could get to, the antivirus vendor.  We can't get there either.

We have watched their DNS lookup change from IP to IP.  So they may be doing some updating just now.  We'll keep an eye on it.

Update #1 -- Kaspersky pinged us.  They are awake... :)   They are aware of the problem and are working on it.  Thanks for getting back to us!

Update #2 -- Kaspersky tells us that this does NOT affect updates.  Only the websites.

Update #3 -- Kaspersky is back up as of 13:08 EST. -- Thanks Jim!
0 comment(s)

Call for packets TCP/UDP port 48318

Published: 2006-11-03
Last Updated: 2006-11-03 18:37:47 UTC
by Joel Esler (Version: 1)
0 comment(s)

One of our readers wrote in to tell us that they are experiencing alot of traffic on TCP port 48318.  They even sent us a pcap of the traffic so we could take a look.  Unfortunately the pcap only contained inbound SYN packets, and outbound RST packets.  

The Source IP's were from totally different countries, and unique in makeup.  Some packets could be from Windows Machines, (judging from TTL, options..etc) and some don't appear to be.

Taking a look at our port graph here...

Clearly we have something going on.

So we need some packets.  Don?t bother sending us just SYN packets, we?re going to need at least some 3 way-handshake stuff. 

Now.  We are NOT telling you to allow this port through the firewall, lets just get that straight.  But if you were in an operational environment where you may be allowed to get us a dump of the traffic with PERMISSION, then that would be great.

Joel Esler

0 comment(s)

New OS X PoC virus

Published: 2006-11-03
Last Updated: 2006-11-03 14:17:34 UTC
by Swa Frantzen (Version: 3)
0 comment(s)

There is again a Proof of Concept Virus for Mac OS X. To be honest the virus is no big deal in itself. But it is yet another warning for a lot of parties involved.

As we said before the ability to have viruses and all sorts of other malware is inherently available in all modern operating systems, Mac, Linux, BSD, ... included.

It is a warning to get antivirus protection for those Macs, even if the shopkeeper told you you do not need it, even if there are no viruses in the wild today, even if it's hard to buy it, and even if the antivirus vendors seem not to know what they talk about like in the image below (highlights are mine):

I'm sure it's just a template problem, but a problem nonetheless.

Yet, it is still your responsability to make sure you do not spread malware (even if you might not be vulnerable to it yourself).
And when (not if) a really bad one hits you or your company it's better to be ready and have a framework to distribute signatures ready than to have to start shopping, get a budget, get purchase to order it, roll it out, ... after you got hit. It is a lot easier to do before you get hit.

So Apple, Apple shopkeepers, antivirus vendors and Mac users, PLEASE get a decent framework in place and please be aware there is no magic shield preventing malware on a Mac (or any other modern platform).

- I writing this on my Mac, and I love my Macs.
- Thanks to Juha-Matti for pointing out the PoC.

Swa Frantzen -- Section 66
0 comment(s)
Diary Archives