Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-02-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mwcollect and Nepenthes merging

Published: 2006-02-22
Last Updated: 2006-02-22 18:05:24 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)
If you are into malware research, it might be of interest to you that the two (in my opinion) best malware honeypot projects have decided to join forces.  See http://www.mwcollect.org/ for details.

Keywords:
1 comment(s)

Antiphishing.org Trend Report

Published: 2006-02-22
Last Updated: 2006-02-22 18:00:24 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
In case you've missed it, the Anti-Phishing Working Group have published their latest (December 05) trend report a couple of days ago. Interesting as always. See http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf
Keywords:
0 comment(s)

W32/Feebs again

Published: 2006-02-22
Last Updated: 2006-02-22 16:54:45 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to *.coconia.net / *.by.ru / *.kazan.bz / *.t35.com / *.freecoolsite.com / *.nm.ru until the AV vendors have the patterns lined up.

If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035

Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update 1700 UTC: AV detection is available by now, at least from some of the "bigger" vendors.
BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs


Keywords:
0 comment(s)
Diary Archives