IRC Botnet Update
On yesterday´s diary, there was a mention of a IRC Botnet on 126.96.36.199 on port 10009. This host is still active but changed the port to the standard 6667.
:irc.imsoXXXXXXXyandao.com NOTICE AUTH :*** Looking up your hostname...
:irc.imsoXXXXXXXyandao.com NOTICE AUTH :*** Found your hostname
ERROR :Closing Link: [xxx.xxx.xxx.xxx] (Ping timeout)
Windows Rootkit Detection
A tool was released today regarding Windows Rootkit Discovery. According to the release note, this tools is aimed to detect generic windows rootkits, like Hacker Defender.
By the way, two good Unix rootkit detection tools are ChkRootKit and RootKit hunter.
We received a report about a raise on scans on port 23. Although Dshield doesnt show anything unusual, it may be a good idea to take a look on your logs. Maybe it is a brute force, like SSH and VNC? We dont know yet, as we didnt get packets, but will let you know as soon as we get more info.
ICQ Virus messages
Arthur Magon sent us an advisory about users receiving a message: *DO NOT CLICK IN THE URL*
"Come to look new photos me and my friends _http:/_/myfriends.go2me.biz/_"
When opening the page my anti-virus (Norton) noticed a virus attempt.
Trojan.ByteVerify is a Trojan Horse that exploits the vulnerability described in Microsoft Security Bulletin MS03-011 and could provide a hacker the ability to run arbitrary code on an infected system.
Write-up by Symantec.
ISC Contact Form
Sometimes we receive questions through the ISC Contact form (http://isc.sans.org/contact.php) with the return email set to isc.sans.org, which means that the person didnt fill the ´E-Mail´ box in the contact form. In this way we are unable to reply to you and give you an answer. If you just want to send some info in an anonymous way, thats ok, but if you want a reply to your question, please fill in the ´E-Mail´ box.
2004 SANS Top-20 Release
The SANS Institute would like to invite readers of the SANS Internet Storm Center to the European launch of the 2004 Critical Internet Threats Research (CITR) on the 8th of October in Westminster.
The SANS CITR is undertaken annually and is the basis for a community consensus paper known as the 'Top-20'. This report defines the most serious of Internet vulnerabilities and security exposures, providing guidance for identification, mitigation and elimination of core threats.
The Top-20 began life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. This work led to the creation of a document summarizing the 'Ten Most Critical Internet Security Vulnerabilities'. Thousands of organizations from all spheres of industry used that list to prioritize their efforts to address the most dangerous threats to their information infrastructures.
The 2004 Top-20 will once again provide the expert's consensus on threats; the result of a process that has brought together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and Europe and Asia; the top university-based security programs; and the leading security software vendors and consulting firms.
Join us on the 8th of October 2004 at the DTI Conference Centre in Westminster and hear leading international experts discuss many topics that are relevant to the study of critical internet threats and exposures. Presentation topics include; ?Information Assurance: Managing and Mitigating Threats to Critical Information Infrastructures?, ?Fighting back against exposure?, and the ?Top-20 2004?. A panel discussion will allow your voice to be heard in a forum where you can share your experience in fighting attackers and eliminating vulnerabilities.
Keynotes from many of the participating UK Government agencies will be delivered, providing perspectives from NISCC, CESG/GCHQ, and the CSIA (Cabinet Office).
Invitations to this event are strictly limited and are not transferable. To reserve your place, please RSVP to Ross Patel by 24th September by e-mailing: rpatel [at] sans [dot] org.
We look forward to you joining us at the European launch of the SANS Critical Internet Threats Research 2004.
Handler on Duty: Pedro Bueno (bueno/AT/ieee.org)
Sep 9th 2004
1 decade ago