We need your help: VA Tech Domains

Published: 2007-04-19
Last Updated: 2007-04-21 18:36:17 UTC
by Johannes Ullrich (Version: 5)
0 comment(s)
Even faster then for Hurricane Katrina, new domains are registered for the VA Tech shootings. Some of them are used for benevolent purposes. However, a good share of them are parked for auction and even used for fraudulent donations.

We setup a page with about 450 different domain names that look suspect. If you have a few minutes, help us to categorize the domains. You need to log in (so we can prevent bad input).

For details, see http://isc.sans.org/domaincheck.html
(Update 0900UTC Thank you for your help - we had all domains checked in record time!)
(Update 1430UTC Of course the above 450 wasn't the end of it. We just found a handful more that need checking out. Your help is greatly appreciated!)
(Update Saturday, 1800UTC: Another 97 suspect domains just arrived. If you got some time, please take a look).

Quickest way to work through them:

- log in
- goto isc.sans.org/domaincheck.html
- click "modify" next to a random domain.
- the domains info will now show up
- click 'whois' in the form. A new window/tab will open with whois information
- keep another window open to visit the domain if necessary.

Done forget to add a note with details. thanks!!!

If you would like to help the victims: VA Tech setup a site here:

Quick unrelated update: We are also seeing spam that contains malware advertising itself as a video clip of the event.
0 comment(s)

Malware Soup du Jour

Published: 2007-04-19
Last Updated: 2007-04-19 21:11:26 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn't RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter:  Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend).  The hoster of the site has been informed, the owner of the domain and site seems to be located in China.

In other cases, though, things sometimes are what they appear to be. While today investigating a malware sample coming from, I noticed that in the past month we had analyzed almost a dozen samples coming from the same address range. Good enough an indication for me that putting this address range "off limits" for my systems is time well invested. The address range is located in Moscow, Russia, so unless your users are located there or do a lot of business with Moscow, chances are small that blocking the entire address range will have side effects.
0 comment(s)

Apple Security Announcement 2007-004

Published: 2007-04-19
Last Updated: 2007-04-19 20:42:32 UTC
by Scott Fendley (Version: 1)
0 comment(s)
Apple Computers released an update which addresses a number of security issues in the Mac OS X and OS X Server systems.  This announcement is available at Security Update 2007-004 .  There are about 25 separate vulnerabilities that are addressed which range from remote attackers causing denial of service attacks all the way to local users having some form of escalation of privileges.  Most of these updates are quite serious and should be reviewed and applied appropriately as allowed by your local patch testing and management policies.

The updates can be applied via the Software Update icon in the apple menu, or downloading and installing the appropriate update available from Apple Support Downloads site.

Scott Fendley
ISC Handler
0 comment(s)
Diary Archives