Tuesday, August 16, 2005

Update: More PnP worms in the wild....

Via the Internet Storm Center's Handler's Diary webpage:

Symantec just released info on the W32.Zotob.E worm here.

Trend Micro is also released this: WORM_RBOT.CBQ.

This is an exploit of a known vulnerability, and the patch is available from microsoft here: Microsoft Security Bulletin MS05-039

More updates coming as we analyze and gather more information!


I should also mention that another PnP/MS05-039 delivery method is also making the rounds today, in a 108kb e-mail attachment. From some e-mail dialogue I had with some other security-minded folks earlier today:

 
   
Added to the McAfee database today:

http://vil.nai.com/vil/content/v_135474.htm

Uses the MS05-039 exploit.

- ferg


-- "Fergie (Paul Ferguson)" [email elided] wrote:

I did have a couple of people send me some additional clues:

[snip]

Looks like a lot of stuff cobbled together from Mydoom and Rbot and
possibly other public sources, along with some template spamming stuff
similar to Bobax but different enough that I don't think it's the same
code. Oh, and it has the MS05-39 exploit built in too, of course. But
who doesn't nowadays?

[and]

I've received maybe a couple of dozen of them in the last 24 hours.
Classification is not terribly clear -- some think it is sufficiently
Mydoom-ish, others have it as various other things...

Win32:Surila-E [Trj]
BDS/Surila.X
Backdoor.Win32.Surila.x
BehavesLike:Win32.SiteHijack
W32/Mydoom.bv@MM
W32.Bobax.AF@mm
W32/Antimule.A.worm
WORM_BOBAX.AD
W32/MyDoom-Gen
Win32.Qweasy.A
Win32/MyDoom.79936!Worm

About half of tested engines still do not detect despite (most) having
been sent samples 24+ hours ago.

I've not had time to look at all closely at it, but it's certainly out
there as I keep getting more naturally occurring samples -- just
refreshed my inbox and have two more...

[snip]



...so watch out for unsolicited 108k (which _appear_to be),
attachments, most of which use social engineering to attempt
to get the recipient to open it, i.e. "From:" appearing to
be copies of bounced mail, administrator, etc.
 


Let's be careful out there....


Update: While the ISC "ThreatCon Level" is still "Green" for the Internet infrastructure, McAfee's AVERT Alert level has gone to "High" for Corporate and Home users for the first time in about two years.

Whacked.


        
    

      posted by Fergie @ 8/16/2005 07:09:00 PM
       
    

  

  
  
  
  
  
 

  


	
    
    
0 Comments:

    
    

      
    

	
	

    Post a Comment
    

  
  	    
    


	
	

	<< Home