[Dshield] 3 worms today

Johannes Ullrich jullrich at euclidian.com
Tue Oct 1 02:54:09 GMT 2002

Was a busy day (actually couple days, but it all got cleared up today).

Turns out that the port 137 scan everyone is seeing are due to a pair
of Windows Viruses. 
http://vil.nai.com/vil/content/v_99728.htm (Bugbear)
http://vil.nai.com/vil/content/v_99729.htm (Srub)

both use unprotected  network shares. Bugbear has an e-mail infection
component. Bugbear takes advantage of a (long patched) bug in MSIE that
allow sit to execute itself without double clicking.

Lessons learned:
- Password protect your shared file systems if you need them at all.
- Keep your software up to date.

The third one is a new variation of a mod_ssl worm using the same
exploit as the 'slapper' worm. However, this worm is very different.
Instead of using the P2P code in slapper, it uses an older 'kaiten'
DDOS engine which connects to an IRC server to receive commands.
I spend some time calling ISPs to take care of some of the IRC servers
and by now the IRC admins closed the channel used to communicate with
the worm. Lets hope it stays that way. 1500 infected machines had the
channel joined by the time it was locked.

Let hope the rest of the week will be quiet ;-)

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020930/0e189c6f/attachment.bin

More information about the list mailing list