Port 20168, Windows Update Virus.

Published: 2003-12-11
Last Updated: 2003-12-12 05:22:30 UTC
by Handlers (Version: 1)
0 comment(s)

(our mail server was removed from spamcops blocklist as of this afternoon. Mail should be flowing again. Thanks for everyone's patience. If you have any issues, please notify noc_at_sans.org )

Port 20168 Traffic

Given a recent discussion on our Intrusions list, spikes in traffic to this port can be attributed to a worm which uses this port for tftp file transfers of the worm code. If you see excessive traffic on this port, you may have an infected system on your network.

Windows Update Virus

We received several reports about a new version of a Windows update virus. Like previous similar viruses, this one claims to come from Microsoft and includes a zip file users are asked to execute. In particular as many filters do not strip zip files, you may remind users that Microsoft will never distribute patches via e-mail.

Internet Explorer URL obfuscation

A somewhat more advanced version of URL obfuscation in Internet Explorer is actively used in 'phishing' e-mails. See yesterdays webcast slides for details.
http://www.sans.org/webcasts/show.php?webcastid=90481 . The vulnerability
uses non-printable characters to hide the real URL. Instead, the user will only see the username/password part, which may look like a valid URL. E.g.:

A sample can be found at http://www.zapthedingbat.com

While this exploit will not execute any code, it is easily used to aid in cognitive hacking. These prefixes can be used with secure sites as well
(e.g. like in
https://somefakebankingsite.com%01@store.sans.org/index.php )
Ports of Interest

* Small spike in 554 (RealServer). Looks like a small number of sources performing widespread scans for vulnerable Real Servers. We are seeing this ever since the release of a related exploit.

* Port 53 shows the onset of another widespread scanning cycle from multiple sources. This is expected to resemble the traffic from 2 weeks ago.

* Port 25 shows an increase in number of sources scanning for it. Maybe a trojaned botherd looking for open relays
Please use your contact form at http://isc.sans.org/contact.html for feedback.

0 comment(s)


Diary Archives