Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: German spam source found, Real services vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
German spam source found, Real services vulnerability
We have had one report of a user receiving traffic on multicast addresses with a negative source port and a destination port of 4. Some
firewalls translate the source port to 0. We are interested in any one else
seeing similar traffic and packet traces.

The source of German right wing spam making its round on the Internet
the last few days has been identified as a variant of the sober worm. It
is identified by a file called datacrypt.exe and is launched in the registry
HKLM/software/microsoft/windows/currentversion/run/ The infection
method is the same as Sober.G. On start up it connects to a time server
in Berlin and then begins to send email messages.

Reports are being received relating to vulnerabilities in Realplayer services.
You may wish to block the ports listed below that the realplayer
services uses on firewalls. That will not completely mitigate this
vulnerability as it could be triggered by downloading (via http,ftp ...)
a realplayer movie and running it locally. I would recommend until
realplayer is patched on any vulnerable system that you disable
realplayer as the default application for opening .RA, .RM, .RV or
.RMJ. In XP you can do that by browsing to your c: drive and selecting a
folder then from the tool bar select folder options and file types. Look
for files opened by realplayer and change those to be opened by another
application or to not have a default application.

Well Known ports used by realservers.

TCP port 7070 for connecting to pre-G2 RealServers
TCP port 554 and 7070 for connecting to G2 RealServers
UDP ports 6970 - 7170 (inclusive) for incoming traffic only


42 Posts
Jun 12th 2004

Sign Up for Free or Log In to start participating in the conversation!