| |
 |
 |
 |
|
|
|
|
Date: 10 August 2007
Click here for printable version
For those following the Storm malware activity, we've noticed that the attackers have made some slight tweaks to the propagation spam. They now reference 123greetings.com, Greetings-Cards.com, vintagegreetings.com and many others, for example, it now uses a subject line in the form of:
"School mate sent you a greeting card from 123greetings.com!"
Also, bleeding edge threats has the following snort rule for the down loader:
http://www.bleedingthreats.net/index.php/2007/07/19/storm-worm-signature/?s=storm
If anyone has developed a snort signature for the detection of the subsequent UDP C&C traffic generated by an infected system, we'd be interested in seeing it.
This week saw the start of the Chaos Communication Camp 2007, the annual camp run by the Chaos Computer Club. This camp has been allocated a IP address range, so administrators may wish to see if they are seeing any "interesting" traffic from the 81.163.0.0/16 address range:
IP range : 81.163.0.0 - 81.163.255.255
Network name : TEMPORARY-CCC-CAMP-NET
Infos : Chaos Computer Club Veranstaltungsgesellschaft mbH
Infos : This network is set aside for various
Country : Germany (DE)
Abuse E-mail : cpunkt@ccc.de
Source : RIPE
Finally, for sites running the Bind name server, you may be interested that this week saw the official end of life announcement of Bind8:
http://marc.info/?l=bind-announce&m=118670081707688&w=2
Also, there has been the public release of a proof of concept for the BIND 9 DNS Cache Poisoning vulnerability to milw0rm. We have not verified this exploit as functional, but even if it is not, administrators are urged to patch their systems.
Robert Lowe
|
|
|
|
 |
|
 |
|
|