Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-02-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Where is Cameroon ?

Published: 2007-02-08
Last Updated: 2007-02-08 22:19:44 UTC
by Daniel Wesemann (Version: 2)
0 comment(s)
Where Cameroon is?  Well, only a small typo away!  A reader today alerted us to the fact that "google.cm" is not your trusty search engine, but rather ... something else. Currently, the link leads to kinda a mock-up of a search tool named "Agoga" that appears to make money from displaying paid-for ad content. On first sight, we didn't find anything malicious lurking on the Agoga pages, but this could well change anytime (meaning: go there at your own risk).  In fact, and surprisingly enough, everything dot-cm ends up on that selfsame site. Yes, Cameroon registry is running a DNS wildcard right at the top level domain (TLD). Think phisher's paradise -- onlinebank.cm, myspace.cm, paypal.cm, anyone ?   If you haven't got legitimate business with firms in Cameroon, you might want to consider making your internal DNS server authoritative for .cm and return 127.0.0.1 until the Cameroon registry deigns to rectify this sorry state of affairs.  Agoga.com seems to be owned by a company "Netview Inc" in Vancouver, BC.

Update 22:14 UTC: James wrote in to remind us that in the "good" old days when Verisign also used to return wildcard answers for their TLDs, Russ Nelson had written a patch for TinyDNS which allows to dev-null wildcard results a bit more selectively than my above suggestion of making your DNS authoritative for all of dot-cm.  If you are running TinyDNS, the patch is still at http://tinydns.org/djbdns-1.05-ignoreip2.patch
Keywords:
0 comment(s)

Happy Patch Tuesday ahead

Published: 2007-02-08
Last Updated: 2007-02-08 19:13:30 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Microsoft Patch Tuesday is coming up, and we'll get a bounty again this time. Twelve patches in total, with most of them rated at a lofty "critical" as usual. Yum.
Keywords:
0 comment(s)

New MSN worm in Asia

Published: 2007-02-08
Last Updated: 2007-02-08 13:19:50 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Thomas writes in to report a new worm making the rounds over MSN in Asia.  Message content something like "Heeey! I found a picture of you online, take a look".  Sites implicated so far (where the binary comes from) are viotagallery-dot-com and modelosunica-dot-com.  AV coverage leaky still.
Keywords:
0 comment(s)

TrendMicro Anti-Virus vulnerability

Published: 2007-02-08
Last Updated: 2007-02-08 10:03:52 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

A buffer overflow vulnerability in the UPX parser of TrendMicro Antivirus seems to affect the product pretty much in all its incarnations. See esupport.trendmicro.com/support/viewxml.do   According to this, applying the latest pattern is sufficient to plug the problem until a new version of the engine (8.5) gets released.  Chances are though that the trend (no pun intended) will continue that AV products themselves contain the same type of  vulnerabilities they claim to shield other software against. Quis custodiet ipsos custodes ?
Keywords:
0 comment(s)
Diary Archives