A couple of late afternoon updates at the handlers diary at incidents.org (sans institute). For starters, it looks like there may be a variation of zotob that has a mass mailer included. I didn’t specifically see this in SARC’s writeups of zotob.a or zotob.b, so, I’m wondering if this is going to be a .c? This variant connects to the same IRC server as the others, but a different channel. (The IRC connection was to allow remote control.)
Category: Security
-
Zotob details
Here are some details on the zotob worm (s) culled from several sources….
It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.
(more…) -
Another entry in the sunbelt discovery of a keylogger
Sunbeltblog has another entry in the continuing story. Really, there is not much new here, but iDefense has analyzed the code of the trojan that was discovered and have stated that it is not related to CoolWebSearch. (Which is what sunbeltblog has been saying for some time.) They initially said it was discovered during a coolwebsearch infestation.
-
Zotob.b may be affecting some XP SP2/2003 installs
As I noted yesterday, virii typically get updated and improved. Yesterdays reports about the zotob virus noted that Windows Xp service pack 2 and Windows 2003 were not affected by the new worm. Today however, the sans institute is reporting that zotob may be affecting some XP sp2 and 2003 installs. It appears that it uses something called NULL sessions.
-
Federal Government funding research into VOIP wiretapping
I can’t say I’m surprised, it makes sense. Plain old telephone service (POTS) can be tapped, and now that VOIP is coming into it’s own, the FBI and others need new ways of tapping the conversations. CNET is reporting on one such initiative that seems to be proving successful at the first step towards tapping a conversation taking place over Skype. Even one that uses an anonymizing proxy server.
-
DHS/US-CERT/NIST launches NVD
Wow – alphabet soup…. The National Instititute of Standards and Technology (NIST) has launched a National Vulnerability Database (NVD) sponsored by the Department of Homeland Security (DHS) Divison US-CERT (US Computer Emergency Response Team). It looks like it will be a nice one place stop to find a good deal of current info.
-
The sunbeltblog id theft saga continues…
It looks as though CoolWebSearch has issued a release about the massive identity theft ring that their product name has featured so prominently in. They are 1) denying that it is related to their tool and asking for evidence that it does so they may pursue the issue (fire employees/contact FBI), 2) considering lawsuits against all outlets that said they were responsible. 3)They try to clarify how to determine what traffic is related to CoolWebSearch.
-
Zotob Worm
According to The Sans handlers diary, a worm exploiting one of the security vulnerabilities disclosed last week by Microsoft, is in the wild and spreading. The worm tagged as zotob.a exploits the ms05-039 vulnerability. (Sans reminds us that ms02-039 was the vuln. targetted by the slammer worm. Interesting coincidence.)
They are still at infocon yellow. (Note the infocon graphic at the bottom of each page.)
-
Good news – wordpress 1.5.2
Good news on the WordPress front. A new release has been, well, released. Version 1.5.2 is a bugfix/security fix release. On the heels of an August 10th security advisory. The release announcement is available here.
-
NY requires businesses to disclose security breaches.
The Register writes that New York has passed a law that will require local government agencies and businesses to disclose security breaches. (System broken into or data stolen). I can understand businesses being reluctant to disclose this kind of information. “What will they say about us”, “bad reputation”, “we’ll lose customers”, the thoughts could go on. However, there are some people that respect a business that is up front about a problem like this.