Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Arkeia remote exploit scan activity; More MyDoom; Where is Tokelau?; IRC Botnet SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Arkeia remote exploit scan activity; More MyDoom; Where is Tokelau?; IRC Botnet

Arkeia remote exploit scan activity

On 02/18/2005 there was a remote exploit published for Arkeia, a backup/DR solution, targeting Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003. At this time there is no information published concerning a patch. Workaround - protect Port 617 from Internet attacks. The jump start of Port 617 scan activity is evident here: http://isc.sans.org/port_details.php?port=617

Other Arkeia exploits have been released including one for versions running on Mac OS x.

MyDoom BC and BD



Two more versions of the Mydoom worm, dubbed Mydoom.BC and .BD, are on the loose. AV detection was spurious at first, but since we got a sample early on (Thanks, Mike!) we were able to help the process along by submitting it to the vendors. Additional investigation revealed that the new version was downloading a file called "contraste.jpg" from a web site in France. The JPG isn't really a JPG, but rather a backdoor component named <A HREF="http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nemog.d.html">Nemog.D </A> or <A HREF="http://vil.mcafeesecurity.com/vil/content/v_131340.htm">BackDoor-CEB.f</A> depending on which AV vendor you ask. The owner of the site in France, as well as the owners of five more sites hosting the same backdoor, were contacted during the day, but have yet to take action.

Dialers Galore



Dialers still seem to be very "popular" in Italy. While these pests are slowly dying out elsewhere because less and less people are using dialup to connect to the Internet, there are apparently still tons of web pages in Italy that are booby trapped with a dialer. The pages are cross-linked among themselves, leading to high page ranks in Google when searching for some of the more popular Italian words (auto, lotto, calcio ... :-). The various front companies and their connections become visible when disassembling a couple of the dialers: An Italian company, fronted by a domain purchaser in the U.S., with dialers that fetch additional code from a site in Moldavia and try to dial various +690 telephone numbers in Tokelau. Hm.
Yes, I admit that I had to look up Tokelau as well. Tokelau consists of three atolls, Atafu, Fakaofo and Nukunonu, and lies about 350mi north of Samoa in the South Pacific. Sounds like an expensive enough long distance call to me. Should somebody aspire to write a bestseller techno thriller, I bet that tracking down the dark forces behind the dialer scam would be worthy of a Pulitzer.

IRC Botnet



A reader has reported yet another IRC botnet, involving compromised servers in several countries. We're still following up on it and are also analyzing a Linux module and a couple of Perl scripts that seem to be related to the activity. Thanks to Stephane for providing the info.

From Russia with Love



We're also analyzing a new piece malware one of our handlers has found on a web site in Russia. The stuff is disguised as a "Happy Valentine Day" animation, but programmed to do some nefarious things behind the scenes, like downloading a password stealer. So far, only AntiVir detects the downloader trojan (as PMS/Final.Expl.2), but we have submitted samples to all the vendors and are confident that detection will improve.



------------

Daniel Wesemann

echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Daniel

367 Posts
ISC Handler
Feb 20th 2005

Sign Up for Free or Log In to start participating in the conversation!