« September 2008 · March 2009 · September 2014 »

November 2008
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
December 2008
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
January 2009
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 

Calendar:

Newest first Oldest first

Thursday, 11 December 2008

IE7 0-Day Exploit Gets Worse


It should be no surprise that it's getting a little worse. ISC is now reporting that at least one website that exploits the IE7 vulnerability (among others) is now being SQL injected into websites across the Internet. We have since updated our list of hostile domains on our page from yesterday. You can visit that page at the following URL:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210

We will continue to update this in the near term as we learn of more domains taking advantage of this vulnerability.

Nasty Remote Access Trojan (RAT) Malware


It turns out the domain that ISC is reported on is also dropping some pretty nasty malware. The domain "17gamo.com" is serving up the exploits which attempt to download malware from "www.steoo.com". Please do not visit either of these sites. If successful the exploits will install a Gh0st RAT on the system. This trojan is currently using the DNS name "evetlog.3322.org" and is beaconing to tcp port 3020.

We recommend blocking or looking for traffic to all of the sites we list above, but in particular as it related to this threat the following:

	www.17gamo.com - 207.154.202.219
	www.steoo.com - 97.74.35.98
	evetlog.3322.org - 218.9.170.106 (was recently 123.165.49.135]

The IP addresses are of course subject to change, so we recommend resolving them when appropriate for traffic monitoring/blocking.

We have developed Snort rules that will pickup this traffic that can be used:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN: Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; classtype:trojan-activity; sid:2008121001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"TROJAN: Gh0st Remote Access Trojan Server Response"; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; classtype:trojan-activity; sid:2008121002;)

Both the client and server send and respond with "Gh0st" in the beginning data for their packets. We hope to have these up at Emerging Threats soon, possibly with some additional improvements.

=>Posted December 11, 2008, at 09:48 AM by Steven Adair