Last Updated: 2006-09-06 19:31:47 UTC
by Michael Haisley (Version: 4)
It appears Symantec has updated their site to include the size of the Trojan: 79,265 bytes. Happy Antivirus updating!
Juha-Matti writes to tell us that Securiteam has posted an entry about this vulnerability on their blog. Check out their post here. Mcafee is calling this one W32/MoFei.worm.dr, and has a writeup about the Trojan here. It is still unknown as to what vulnerability this is exploiting.
Microsoft published some news about the "0-day" in MS Word here. They offer two pieces of advice.
1) Don't open Word files from people you don't know. (This goes back to not eating candy until your parents look at it at Halloween, and not opening the door for strangers.)
2) Use Word 'viewer'.
Of course Microsoft publishes great "Suggested Actions".
Protect your PC by enabling a firewall (which, btw, does not keep Word files out)
In fact one of Microsoft's suggested actions is: "Keep Windows Updated"... we'd love to. If there was a fix for the problem!
Let's hope they get it patched as soon as possible.
Last Updated: 2006-09-04 18:57:23 UTC
by Joel Esler (Version: 3)
Browzar has received a lot of recent attention on mailing lists like Full-Disclosure, claiming the 'Browzar' leaves the last visited url in a file in the user's LocalSettings directory. As well as items like cache misses, redirected urls, and click through urls are left on the machine.
Now of course, your ISP can still track you, netflows, IDS's on your network, and pieces of software that may be on your corporate network like Websense can still find where you go. Let alone if Browzar leaves anything behind on your host system.
We've looked at other programs like VMware's many free Virtual Browsing appliances or even Sandboxie, which runs programs inside of a virtual 'sandbox'. Apparently leaving no traces behind on the local machine.
So for you privacy guys.. put your tin foil beenie on, and browse away.
Another reader Chris wrote in to tell us about a browsing device he made on an external harddrive with Windows 3.11 as an OS, minimal install with a browser. This reminds me of carrying a thumbdrive with a browser installed on it, in order to keep your cookies, passwords, and cache with you.
Last Updated: 2006-09-04 16:28:16 UTC
by Brian Granier (Version: 2)
In reviewing recent DShield graphs I noticed a sharp and large increase in UDP port 47290 traffic. A quick review of Google and a few other resources left me with no logical conclusion as to the source.
I send this diary out as a call for packets or for any information that might lead to understanding where this traffic uptick comes from. Since this traffic started on 8/28/06, it is interesting to note that the number of reported packets is 226,660 records. The numbers of sources for this traffic is 134,673. The number of targets is 43. So it's possible we are looking at traffic reported from just one subscriber who sends logs into DShield. Nonetheless, this is a rather interesting and sudden increase and it would be useful to know where this is coming from.
Update: We looked further into this and discovered that 99.99% of this traffic is destined for a single target. This makes the call for packets a fairly moot point.
Last Updated: 2006-09-04 00:37:37 UTC
by Pedro Bueno (Version: 1)
Tracking it, I was able to get into their botnet, on xx.xx.207.12, running on port 7001.
The default channel found on the perl code was #botnet , and was active at the time of this diary was written. The default command to list channels on IRC is /list.
Besides some dangerous of running commands on customized ircd servers, I run it and found another channel, called #scan .
Finally the FlashChat part...:) On the subject of the #scan channel, there was an instruction to scan on google for sites using FlashChat, ONLY on .co.uk domains!
So, my final instructions to you are:
1- If you run FlashChat, check for patches, security patches, APPLY THEM!
2- If you run FlashChat AND on a .co.uk,.uk, APPLY ANY PATCHES AVAILABLE IMMEDIATELY. Additionally, you might want to look through your system for signs of intrustion.
Pedro Bueno ( pbueno //&&// isc. sans. org )