[nsp-sec] Bracing For Impact... MS08-067
Nicholas Ianelli
ni at cert.org
Thu Oct 23 17:12:09 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ugh, hit send to soon, there is also the following:
perlbody.t35.com. 14400 IN A 66.45.237.219
summertime.1gokurimu.com. 3600 IN A 59.106.116.229
doradora.atzend.com. 14400 IN A 69.162.76.42
Bulk mode; whois.cymru.com [2008-10-23 21:11:52 +0000]
9370 | 59.106.116.229 | SAKURA-B SAKURA Internet Inc.
19318 | 66.45.237.219 | NJIIX-AS-1 - NEW JERSEY INTERNATIONAL
INTERNET EXCHANGE LLC
30008 | 69.162.76.42 | COLOGUYS - ColoGuys
Bulk mode; peer-whois.cymru.com [2008-10-23 21:11:52 +0000]
2497 | 59.106.116.229 | IIJ Internet Initiative Japan Inc.
2516 | 59.106.116.229 | KDDI KDDI CORPORATION
2828 | 66.45.237.219 | XO-AS15 - XO Communications
3356 | 69.162.76.42 | LEVEL3 Level 3 Communications
7473 | 59.106.116.229 | SINGTEL-AS-AP Singapore Telecom
7473 | 66.45.237.219 | SINGTEL-AS-AP Singapore Telecom
12179 | 69.162.76.42 | INTERNAP-2BLK - Internap Network Services
Corporation
19080 | 66.45.237.219 | ASN-WBS-01 - WBS Connect, LLC
Nick
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> - From malware analysis:
>
> HTTP check in:
> 59.106.145.58
>
>
> The following three IPs are pinged with the payload:
>
> abcde12345fghij6789
>
> 212.227.93.146
> 64.233.189.147
> 202.108.22.44
>
>
> Bulk mode; whois.cymru.com [2008-10-23 21:06:14 +0000]
> 4808 | 202.108.22.44 | CHINA169-BJ CNCGROUP IP network China169
> Beijing Province Network
> 8560 | 212.227.93.146 | ONEANDONE-AS 1&1 Internet AG
> 9370 | 59.106.145.58 | SAKURA-B SAKURA Internet Inc.
> 15169 | 64.233.189.147 | GOOGLE - Google Inc.
>
>
>
> Bulk mode; peer-whois.cymru.com [2008-10-23 21:06:14 +0000]
> 174 | 212.227.93.146 | COGENT Cogent/PSI
> 174 | 64.233.189.147 | COGENT Cogent/PSI
> 1239 | 64.233.189.147 | SPRINTLINK - Sprint
> 1299 | 212.227.93.146 | TELIANET TeliaNet Global Network
> 2497 | 59.106.145.58 | IIJ Internet Initiative Japan Inc.
> 2516 | 59.106.145.58 | KDDI KDDI CORPORATION
> 2516 | 64.233.189.147 | KDDI KDDI CORPORATION
> 2828 | 212.227.93.146 | XO-AS15 - XO Communications
> 2828 | 64.233.189.147 | XO-AS15 - XO Communications
> 2914 | 212.227.93.146 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 2914 | 64.233.189.147 | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3257 | 64.233.189.147 | TISCALI-BACKBONE Tiscali Intl Network BV
> 3356 | 212.227.93.146 | LEVEL3 Level 3 Communications
> 3549 | 64.233.189.147 | GBLX Global Crossing Ltd.
> 3561 | 64.233.189.147 | SAVVIS - Savvis
> 4565 | 212.227.93.146 | MEGAPATH2-US - MegaPath Networks Inc.
> 4565 | 64.233.189.147 | MEGAPATH2-US - MegaPath Networks Inc.
> 4657 | 64.233.189.147 | STARHUBINTERNET-AS Starhub Internet, Singapore
> 4837 | 202.108.22.44 | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 7132 | 64.233.189.147 | SBIS-AS - AT&T Internet Services
> 7473 | 59.106.145.58 | SINGTEL-AS-AP Singapore Telecom
> 7473 | 64.233.189.147 | SINGTEL-AS-AP Singapore Telecom
> 10310 | 212.227.93.146 | YAHOO-1 - Yahoo!
> 10310 | 64.233.189.147 | YAHOO-1 - Yahoo!
> 11164 | 64.233.189.147 | TRANSITRAIL - National LambdaRail, LLC
> 11537 | 64.233.189.147 | ABILENE - Internet2
> 15606 | 212.227.93.146 | NASK-TRANSIT NASK Transit AS
> 15606 | 64.233.189.147 | NASK-TRANSIT NASK Transit AS
> 28513 | 64.233.189.147 | Uninet S.A. de C.V.
>
>
> Nick
>
> Nicholas Ianelli wrote:
>> There was a miscreant chatting about this last month, basically stating
>> that they found a way to "re-infect" people via ports 135/445. Unclear
>> if they had the code to do so, but it would be interesting to see if
>> this was already being exploited.
>
>> I'll see what I can dig up.
>
>> Ok, found it, logs dated from 2008.09.02
>
>> falesco found a way of exploiting dcom and lsass again
>> so hes put them on a fud bot hes had for month
>> selling source for 250 euros
>> 249k bots
>> for 3500 euros
>
>> If this is true, may be worthwhile getting LE involvement.
>
>> Nick
>
>> White, Gerard wrote:
>>> ----------- nsp-security Confidential --------
>>> Greetings.
>
>
>>> As you are all aware (hopefully), Microsoft has recently released a
>>> patch outside of their normal cycle.
>
>
>>> In my opinion, this was probably touched off as a result of a painful
>>> decision between releasing a patch
>>> that, if reverse-engineered, would touch off heavy miscreant activity -
>>> vs. not releasing the patch, and
>>> playing the waiting game.
>
>
>>> So, also in my opinion, it probably won't be long (days?) before
>>> miscreants attempt to take advantage
>>> of this opportunity... I would like to ask the community to watch their
>>> darknets for spikes in TCP/135,
>>> & TCP/445.
>
>
>>> While the basic details are available here:
>>> http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
>
>
>>> I Strongly encourage everyone to read better details here:
>>> http://blogs.technet.com/swi/
>
>
>>> GW
>>> 855 - Bell Aliant
>
>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkkA6KkACgkQi10dJIBjZIACegCfYVr/hkT/AXkEkWxndhFGwllb
bLsAoNc8GCGH1IUCfiCkipeuq21Cy6gi
=0NAg
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list