Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Shamrocks and March Madness; Perl bots; MS05-004 update SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Shamrocks and March Madness; Perl bots; MS05-004 update
To all the Irish and Irish-at-heart out there, a Happy St. Patrick's Day. (Warning US-centric comment coming next) For those of you who, like me, are college basketball fans, enjoy the next several days of 12+ hours a day of basketball. I know I will. :)

Perl bots


Our intrepid readers (thanks, to the Telenor folks), sent us a copy of 2 bots, written in Perl, that were being installed via an AWSTATS exploit (see
http://isc.sans.org/diary.php?date=2005-03-01 and
http://isc.sans.org/diary.php?date=2005-01-31
). The second appears to be an updated version with greater functionality. The irc command and control channel for the first variant seems to be down, the second one appears to still be up and the websites from which the malware was being downloaded are still live. Admins might want to check their proxy or firewall logs for traffic going to xii.altervista.org and poff.altervista.org.

MS05-004 update


Thanks to Juha-Matti for pointing out that the ASP.NET bulletin from February has been updated. Apparently the Caveats section of KB887219 has been updated based on user experience, but, of course, all our loyal readers have already patched, right? :)



-----------------

Jim Clausing, jclausing at isc dot sans dot org

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Secure Japan 2021

Jim

416 Posts
ISC Handler
Mar 18th 2005

Sign Up for Free or Log In to start participating in the conversation!