[nsp-sec] Bracing For Impact... MS08-067

Nicholas Ianelli ni at cert.org
Thu Oct 23 17:06:44 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From malware analysis:

HTTP check in:
59.106.145.58


The following three IPs are pinged with the payload:

abcde12345fghij6789

212.227.93.146
64.233.189.147
202.108.22.44


Bulk mode; whois.cymru.com [2008-10-23 21:06:14 +0000]
4808    | 202.108.22.44    | CHINA169-BJ CNCGROUP IP network China169
Beijing Province Network
8560    | 212.227.93.146   | ONEANDONE-AS 1&1 Internet AG
9370    | 59.106.145.58    | SAKURA-B SAKURA Internet Inc.
15169   | 64.233.189.147   | GOOGLE - Google Inc.



Bulk mode; peer-whois.cymru.com [2008-10-23 21:06:14 +0000]
174     | 212.227.93.146   | COGENT Cogent/PSI
174     | 64.233.189.147   | COGENT Cogent/PSI
1239    | 64.233.189.147   | SPRINTLINK - Sprint
1299    | 212.227.93.146   | TELIANET TeliaNet Global Network
2497    | 59.106.145.58    | IIJ Internet Initiative Japan Inc.
2516    | 59.106.145.58    | KDDI KDDI CORPORATION
2516    | 64.233.189.147   | KDDI KDDI CORPORATION
2828    | 212.227.93.146   | XO-AS15 - XO Communications
2828    | 64.233.189.147   | XO-AS15 - XO Communications
2914    | 212.227.93.146   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
2914    | 64.233.189.147   | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 64.233.189.147   | TISCALI-BACKBONE Tiscali Intl Network BV
3356    | 212.227.93.146   | LEVEL3 Level 3 Communications
3549    | 64.233.189.147   | GBLX Global Crossing Ltd.
3561    | 64.233.189.147   | SAVVIS - Savvis
4565    | 212.227.93.146   | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 64.233.189.147   | MEGAPATH2-US - MegaPath Networks Inc.
4657    | 64.233.189.147   | STARHUBINTERNET-AS Starhub Internet, Singapore
4837    | 202.108.22.44    | CHINA169-BACKBONE CNCGROUP China169 Backbone
7132    | 64.233.189.147   | SBIS-AS - AT&T Internet Services
7473    | 59.106.145.58    | SINGTEL-AS-AP Singapore Telecom
7473    | 64.233.189.147   | SINGTEL-AS-AP Singapore Telecom
10310   | 212.227.93.146   | YAHOO-1 - Yahoo!
10310   | 64.233.189.147   | YAHOO-1 - Yahoo!
11164   | 64.233.189.147   | TRANSITRAIL - National LambdaRail, LLC
11537   | 64.233.189.147   | ABILENE - Internet2
15606   | 212.227.93.146   | NASK-TRANSIT NASK Transit AS
15606   | 64.233.189.147   | NASK-TRANSIT NASK Transit AS
28513   | 64.233.189.147   | Uninet S.A. de C.V.


Nick

Nicholas Ianelli wrote:
> There was a miscreant chatting about this last month, basically stating
> that they found a way to "re-infect" people via ports 135/445. Unclear
> if they had the code to do so, but it would be interesting to see if
> this was already being exploited.
> 
> I'll see what I can dig up.
> 
> Ok, found it, logs dated from 2008.09.02
> 
> falesco found a way of exploiting dcom and lsass again
> so hes put them on a fud bot hes had for month
> selling source for 250 euros
> 249k bots
> for 3500 euros
> 
> If this is true, may be worthwhile getting LE involvement.
> 
> Nick
> 
> White, Gerard wrote:
>> ----------- nsp-security Confidential --------
> 
>> Greetings.
> 
> 
> 
>> As you are all aware (hopefully), Microsoft has recently released a
>> patch outside of their normal cycle.
> 
> 
> 
>> In my opinion, this was probably touched off as a result of a painful
>> decision between releasing a patch
> 
>> that, if reverse-engineered, would touch off heavy miscreant activity -
>> vs. not releasing the patch, and
> 
>> playing the waiting game.
> 
> 
> 
>> So, also in my opinion, it probably won't be long (days?) before
>> miscreants attempt to take advantage
> 
>> of this opportunity...  I would like to ask the community to watch their
>> darknets for spikes in TCP/135, 
> 
>>  & TCP/445.
> 
> 
> 
>> While the basic details are available here:
> 
>> http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
> 
> 
> 
>> I Strongly encourage everyone to read better details here:
> 
>> http://blogs.technet.com/swi/
> 
> 
> 
>> GW
> 
>> 855 - Bell Aliant
> 
> 
> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEQEARECAAYFAkkA52QACgkQi10dJIBjZIA2QACgqSKlN9Gbv4Rx/9Jz5b81FG4b
ss4AkNtil2OWanPic6nC4lw84fGjSA==
=/r+C
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list