Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: phpBB worms continued; Phishing; Spyware from the developers point of view; New server - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
phpBB worms continued; Phishing; Spyware from the developers point of view; New server

phpBB worms continued

phpBB worms continue to to be active. As Mr. Mancini found out before he sent us the bot he found on his server. The bot communicated over IRC and his machine had scanned more than 4500 hosts. It was a variant on the Santy/AWS theme.

If you happen to run into a bot we'd like to get a copy of logs and the code you find, even if the comments in the source code are in Portuguese as in this case, we'll help in finding a way to alert the right people.

Last minute update: phpBB 2.0.13 was released to fix 2 security vulnerabilities.
Read the announcement at

One of the fixes was labeled as critical by the developers as it would allow anybody to login with admin credentials.


We're still seeking people who can share statistics on changes in the amount of phishing messages. If you run a large site and can share statistics, we'd be happy to try to correlate them and see if we can find a trend out of it.

In this respect a reader called Laurent pointed us to the of the latest Beta release of the Opera Browser. It is designed to tackle some aspects of the Phishing problem as well as solve some IDN issues.

Fellow Handler Patrick Nolan pointed to the
as a source of information. Especially the move outlined on page 5 toward more sophisticated phishing by using malware could be an explanation for the decrease some of us are seeing. The next logical step for the attackers might be to shift their attack vectors to use key loggers embedded with other malware and are slowly abandoning on social engineering people into cooperation.

Even if some of us see a decrease in phishing, we all need to stay alert. It's pretty easy to spot a phishing scam from a bank if you're not a customer of the phished for bank, but it's not so easy when you are a customer. Therefore we need to keep all users aware of the problem regardless of the abundance of attempts.

Spyware from the developers point of view

No worries, I won't talk about people actually creating spyware, adware or worse malware. I cannot pretend to understand them or their justification for doing what they do.

But we did receive a message from a genuine developer, Glenn Jarvis, who showed us what developers of real tools and games face.

They get unsolicited messages with proposals to include and distribute malware with their software. The prices for installing such tools seem to be calculated per install. Adding 3 such malware items would yield a quarter per installation.

The reference malware might seem very contradictory to anybody with a sound mind: one of the so called tools is supposed to be a pop-up blocker. The other is a pop-up advertising tool. Guess what will happen ads or no ads ?

The P.S. of the letter was actually the sickest part, it said their malware was submitted for approval of COAST.
isn't in the business of approving of malware, quite the contrary actually.

New server

We got a bit more potent server for yesterday, let us know if you experience any problems coming from the move.


Swa Frantzen

760 Posts
Feb 28th 2005

Sign Up for Free or Log In to start participating in the conversation!