Week in review - Week Ending 10/08/2007

Date: 10 August 2007 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=7958 For those following the Storm malware activity, we've noticed that the attackers have made some slight tweaks to the propagation spam. They now reference 123greetings.com, Greetings-Cards.com, vintagegreetings.com and many others, for example, it now uses a subject line in the form of: "School mate sent you a greeting card from 123greetings.com!" Also, bleeding edge threats has the following snort rule for the down loader: http://www.bleedingthreats.net/index.php/2007/07/19/storm-worm-signature/?s=storm If anyone has developed a snort signature for the detection of the subsequent UDP C&C traffic generated by an infected system, we'd be interested in seeing it. This week saw the start of the Chaos Communication Camp 2007, the annual camp run by the Chaos Computer Club. This camp has been allocated a IP address range, so administrators may wish to see if they are seeing any "interesting" traffic from the 81.163.0.0/16 address range: IP range : 81.163.0.0 - 81.163.255.255 Network name : TEMPORARY-CCC-CAMP-NET Infos : Chaos Computer Club Veranstaltungsgesellschaft mbH Infos : This network is set aside for various Country : Germany (DE) Abuse E-mail : cpunkt@ccc.de Source : RIPE Finally, for sites running the Bind name server, you may be interested that this week saw the official end of life announcement of Bind8: http://marc.info/?l=bind-announce&m=118670081707688&w=2 Also, there has been the public release of a proof of concept for the BIND 9 DNS Cache Poisoning vulnerability to milw0rm. We have not verified this exploit as functional, but even if it is not, administrators are urged to patch their systems. Robert Lowe