MS05-051 (MSDTC) Malware / Port 1025

Published: 2005-12-15
Last Updated: 2005-12-15 16:04:03 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
A blog entry over at F-Secure mentions a new piece of malware dubbed "Dasher.A" that is trying to exploit the MS05-051 aka MSDTC vulnerability. The spreading mechanism seems to be very unreliable, but likely explains the surge in Port 1025 traffic we've seen recently . The captured packets look a lot like what the MS05-051 POC exploit posted at FrSIRT.com would cause.  [Thanks to Juha-Matti and David for reporting this.]

Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure - and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.


Keywords:
0 comment(s)

Comments


Diary Archives