Home

2008-12-11

« September 2008 · March 2009 · September 2010 »

29.01.2009: Asprox Goes Phishing Again
24.01.2009: More Waledac Domains to Block
22.01.2009: Asprox - It's Baaaaaaack
19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
09.01.2009: Waledac Domains - Updated List
31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
11.12.2008: See below.
10.12.2008: IE7 0-Day Exploit Sites
05.12.2008: Anti-Fraud Website Under Constant DDoS Attack
No entries for November 2008.

Thursday, 11 December 2008

IE7 0-Day Exploit Gets Worse

It should be no surprise that it's getting a little worse. ISC is now reporting that at least one website that exploits the IE7 vulnerability (among others) is now being SQL injected into websites across the Internet. We have since updated our list of hostile domains on our page from yesterday. You can visit that page at the following URL:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210

We will continue to update this in the near term as we learn of more domains taking advantage of this vulnerability.

Nasty Remote Access Trojan (RAT) Malware

It turns out the domain that ISC is reported on is also dropping some pretty nasty malware. The domain "17gamo.com" is serving up the exploits which attempt to download malware from "www.steoo.com". Please do not visit either of these sites. If successful the exploits will install a Gh0st RAT on the system. This trojan is currently using the DNS name "evetlog.3322.org" and is beaconing to tcp port 3020.

We recommend blocking or looking for traffic to all of the sites we list above, but in particular as it related to this threat the following:

	www.17gamo.com - 207.154.202.219
	www.steoo.com - 97.74.35.98
	evetlog.3322.org - 218.9.170.106 (was recently 123.165.49.135]

The IP addresses are of course subject to change, so we recommend resolving them when appropriate for traffic monitoring/blocking.

We have developed Snort rules that will pickup this traffic that can be used:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN: Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; classtype:trojan-activity; sid:2008121001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TROJAN: Gh0st Remote Access Trojan Server Response"; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; classtype:trojan-activity; sid:2008121002;)

Both the client and server send and respond with "Gh0st" in the beginning data for their packets. We hope to have these up at Emerging Threats soon, possibly with some additional improvements.

=>Posted December 11, 2008, at 09:48 AM by Steven Adair

Page last modified on December 31, 2005, at 04:32 AM

Bot Counts

Botnets

Calendar/Blog

Link List