Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: On Dasher SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
On Dasher

Despite efforts to cut off the distribution points ( new versions of Dasher continue to pop up.  Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.)  New versions with new distribution points, and signature-evasion changes continue to come out.  Before you ask: "which ones don't detect it?"  Right now, it's most of them.  In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them.  I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful? 

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports?  Or, why are some filtering/firewall strategies blocking only 1024 and below?

Overall, the response procedure appears to be working.  The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized.  Everything went according to plan-- just not quickly as I hoped.

Now, I'm waiting for Prancer.

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!