[nsp-sec] Srizbi bot help!?
White, Gerard
Gerard.White at aliant.ca
Fri Oct 24 16:09:28 EDT 2008
Hey Steve
Wow, that's just crazy... I'm wondering if they've upgraded their
malware to
Push on TLS/SSL (TCP/465) & TLS/SSL + STARTTLS (TCP/587).
Put it this way, if you want to "test" and see if its really Srizbi
you're dealing
with here... just restrict McColo Prefixes (ASN 26780) away from the
customer and see
if the pain stops... _especially_ their 208.72.168.0/23 range... its
just maggoty...
GW
855 - Bell Aliant
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Shelton, Steve
> Sent: Friday, October 24, 2008 1:12 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Srizbi bot help!?
>
> ----------- nsp-security Confidential --------
>
> Hello,
>
> Dose anyone have any useful resources on detecting Srizbi bot's? I'm
> currently working on a case that is troublesome. I'm currently
> monitoring udp 1024 > 4099 and tcp any > 4099 looking for
communications
> with the associated controllers. What is troublesome in this case is
> that port 25 out is and has been filtered and Spam is still getting
out.
>
> Does anyone know of any additional outbound ports the exploit SMTP
> engine will push the template based Spam from? Is or has the exploit
> been known to spoof source IP's?
>
> Thanks in advance for any assistance!
>
> Steve Shelton
> Network Security Engineer
> Cogent Communications
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list