Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-12-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Christmas . exe is making the rounds

Published: 2006-12-23
Last Updated: 2006-12-23 21:11:30 UTC
by Joel Esler (Version: 1)
0 comment(s)
Obviously at any holiday-ish time of the year the malware writers out there are going to package their warez in an appropriately named file.  This time it's Christmas.e x e...

A reader wrote in and pointed us to an article over on f-secure.  Check it out.

A nice quote from the article.

"We've just received a sample of something that's called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net. As a decoy, it shows this Christmas-themed image... Obviously, a gift that keeps on giving. To be avoided."

It would pretty easy to write a Snort rule to catch these.  You could do it one of many ways..  Look for the DNS request, look for the GET, so...  have fun with those.  If you'd like to write in with a couple examples, feel free.

Happy Holidays all!

/** Joel Esler **/
Keywords:
0 comment(s)
Diary Archives