[nsp-sec] UBNT airOS worm in the wild

[Smith, Donald]

TLP (the link is public but checking)?

What is the tie-in to nxdomain?


01100101000010|10011010111101?
Hint 7 bit ascii
Donald.Smith at centurylink.com

________________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Damian Menscher [damian at google.com]
Sent: Sunday, May 15, 2016 12:19 PM
To: nsp-security NSP
Subject: [nsp-sec] UBNT airOS worm in the wild

----------- nsp-security Confidential --------

Starting Friday, a worm started spreading affecting UBNT airOS devices:

http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

This has likely already run its course (it spread fairly quickly in the
first hours, and appears to have reached saturation by Saturday) but I
wanted to spread the word in case ISPs are unaware.  It appears this worm
is also responsible for an increase in NXDOMAIN queries hitting recursive
resolvers (which may be your best indicator of infection).

Damian
--
Damian Menscher :: Security Reliability Engineer :: Google :: AS15169


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.