Beagle Virus Exploit ==================== Versions of the 'Beagle' (aka Bagle) virus open a back door on port 2745 (TCP). We do monitor increased scanning activity for this port. Today, a reader submitted a tool which is used to scan for Beagle infected systems. If the tool finds port 2745 open, it will send the 'magic string' to open the backdoor. Next, a URL is send to the system. The Bagle infected system will attempt to download the content of the URL and execute it. Sample session (using a netcat listener): 1. Establish TCP connection to port 2745
2. Send "exploit buffer"
3. 'reply' from infected host (just 'CR' in this case)
4. send URL for download
Mailbag: Port 12345 scans ========================= a user submitted logs showing large numbers of scans against port 12345 (TCP). This port is commonly associated with the trojan 'Netbus' and other malware. The log did not indicate a new tool but rather appears to be a number of sequential connect scans. Ports in focus: 1026 ==================== scans for port 1026 appear to increase again over the last couple weeks. According to some reports, this is due to popup spam, which now relies more on compromised systems as origin. http://isc.sans.org/port_details.html?port=1026 In the past, only a small number of sources originated this traffic. SSL "NULL" Encryption (Errata) ============================== An earlier diary ( http://isc.sans.org/diary.html?date=04-03-04 ) quoted Dr. Neal Krawetz, from Secure Science Corporation as saying that "One of the SSL encoding methods is "plain text". Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because "plain text" doesn't use certificates). Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection" Prompted by reader feedback, we did our own experiments, limiting an Apache 1.3 server to 'NULL' encryption. We were not able to reproduce this issue with any recent browser. Mozilla, in default configuration, will popup an error dialog stating that no common cipher could be found. If the 'null'/'plain text' encryption is specifically enabled, the page will load, but the certificate will still be validated and any errors will be communicated to the user Microsoft Internet Explorer will show a generic error page. It does not appear to be possible in MSIE 6 to enable 'NULL' encryption. --------------------------------------------- Johannes Ullrich, jullrich_AT_sans.org I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4479 Posts ISC Handler Mar 30th 2004 |
Thread locked Subscribe |
Mar 30th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!