Still More MyDoom, a Few Twists on IDS, and a New Phishing Threat
Today's Highlights -
- Mydoom.s, yet another MyDoom variant
- Virus detection with Snort
- Switch Port Monitoring
- A New Twist to Phishing Reported
Mydoom.s, yet another MyDoom variant
Conrad Longmore brought to our attention there's yet another new mydoom variant.
The MyDoom variant "MyDoom.S" is being spread en masse this Monday. Suggested is that it might be spread using a bot network created by the previous variant of the MyDoom worm.
The attachment seems to be named "photos_arc.exe".
- update your favorite anti-virus package
- educate your users not to click on attachments
Some URLs:
http://www.f-secure.com/v-descs/mydoom_s.shtml
http://www.sophos.com/virusinfo/analyses/w32mydooms.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127616
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.q@mm.html
http://www.viruslist.com/eng/alert.html?id=2047892
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=50987&sind=0
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39890
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A
[by Swa Frantzen, standing in for George]
Mydoom.s detection with Snort
For those feeling brave, there are bleeding edge Snort rules availble to detect this latest variant at: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/WORM_MyDoom.S?rev=1.2&content-type=text/vnd.viewcvs-markup
Thanks to Matt Jonkman for submitting that.
Speaking of Snort, viruses (virii?), and bleeding edge - Will Metcalf has put together a ClamAV preprocessor module for Snort, to alert on network traffic containing code that fires a Clam virus signature:
http://sourceforge.net/mailarchive/forum.php?thread_id=5338848&forum_id=7142
Switch Port Monitoring
A couple of days ago, I advised someone to monitor switch port activity for indications of unusual activity. For example, seeing a higher than usual frames-per-second count from a host during the wee hours may indicate a host is scanning or serving files. An unusually high number heading to a host may indicate a sniffer, etc. Andy Cuff of Talisker has put together a nice list of config settings for popular switches to make this a little easier:
http://www.securitywizardry.com/switch.htm
A New Twist to Phishing Reported
Dan Hubbard of Websense has reported a new trend in phishing:
We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.
Characteristics:
* no contact information
* no domain name
* many hosted in China or S Korea.
* no secure ordering process
* reported by thousands of spam engines
Report any phishing attempts you receive to:
http://www.antiphishing.org/report_phishing.html
Constant vigilance!
--Alastor Moody, Harry Potter and the Goblet of Fire
- Mydoom.s, yet another MyDoom variant
- Virus detection with Snort
- Switch Port Monitoring
- A New Twist to Phishing Reported
Mydoom.s, yet another MyDoom variant
Conrad Longmore brought to our attention there's yet another new mydoom variant.
The MyDoom variant "MyDoom.S" is being spread en masse this Monday. Suggested is that it might be spread using a bot network created by the previous variant of the MyDoom worm.
The attachment seems to be named "photos_arc.exe".
- update your favorite anti-virus package
- educate your users not to click on attachments
Some URLs:
http://www.f-secure.com/v-descs/mydoom_s.shtml
http://www.sophos.com/virusinfo/analyses/w32mydooms.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=127616
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.q@mm.html
http://www.viruslist.com/eng/alert.html?id=2047892
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=50987&sind=0
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39890
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RATOS.A
[by Swa Frantzen, standing in for George]
Mydoom.s detection with Snort
For those feeling brave, there are bleeding edge Snort rules availble to detect this latest variant at: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/WORM_MyDoom.S?rev=1.2&content-type=text/vnd.viewcvs-markup
Thanks to Matt Jonkman for submitting that.
Speaking of Snort, viruses (virii?), and bleeding edge - Will Metcalf has put together a ClamAV preprocessor module for Snort, to alert on network traffic containing code that fires a Clam virus signature:
http://sourceforge.net/mailarchive/forum.php?thread_id=5338848&forum_id=7142
Switch Port Monitoring
A couple of days ago, I advised someone to monitor switch port activity for indications of unusual activity. For example, seeing a higher than usual frames-per-second count from a host during the wee hours may indicate a host is scanning or serving files. An unusually high number heading to a host may indicate a sniffer, etc. Andy Cuff of Talisker has put together a nice list of config settings for popular switches to make this a little easier:
http://www.securitywizardry.com/switch.htm
A New Twist to Phishing Reported
Dan Hubbard of Websense has reported a new trend in phishing:
We are starting to see more and more phishing sites which are not targeting specific financial institutes but are targeting general ecommerce. We have seen "fake" online banks, sporting good stores, and pharmacy's.
Characteristics:
* no contact information
* no domain name
* many hosted in China or S Korea.
* no secure ordering process
* reported by thousands of spam engines
Report any phishing attempts you receive to:
http://www.antiphishing.org/report_phishing.html
Constant vigilance!
--Alastor Moody, Harry Potter and the Goblet of Fire
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments