Spyware, Viruses, & Security forum

General discussion

NEWS - May 6, 2004

Handler's Diary: port 135 spikes, Lovegate, Welchia.K, Mailbag, Unix Security

Updated May 5th 2004 23:05 UTC

Port 135 Spikes

Over the last few days, a number of networks detected a sharp, almost vertical, rise in port 135 (tcp) traffic and a subsequent exponential decay. Typically, these traffic burst last for a few hours. From selected packet captures, it looks like these scans attempt to exploit the RPC DCOM vulnerability. Several possible sources where suggested. It is likely that these scans are caused by botnets which are scanning given target networks for new vulnerable hosts.

Lovgate Virus

A virus sample submitted to us on Monday is now identified as LovGate.R. In addition to spreading via e-mail, the virus will use the RPC DCOM vulnerability to spread and it will open file shares on infected systems. This virus is one suspect implicated to cause the rise in port 135 traffic.


Welchia.K Worm

A new version of 'welchia' (aka Nachi) has been identified. This worm, which was first identified in the wake of blaster last august, is most noted for the ICMP echo requests it sends. Welchia.K includes exploits for the following vulnerabilities:
* RPC Locator
* WebDAV (you will see URLs that start with 'SEARCH' in your web log)
* MS Workstation

Fixes for all these vulnerabilities have been made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.

Trend Micro:http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.K

More: http://isc.sans.org/

Discussion is locked
You are posting a reply to: NEWS - May 6, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 6, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
RED ALERT: PandaLabs in the hunt for the authors of the Sasser worms - 05/06/04

In reply to: NEWS - May 6, 2004

Madrid, May 06 2004 - While the Sasser worms continue looking for new
victims to infect, the hunt for their creators has started. By applying
proprietary forensic IT techniques to the code of these worms, PandaLabs
will look for clues that could lead to the arrest of their authors.

"Letting viruses loose is a crime that should be investigated. The authors
of Sasser must also be treated as particularly dangerous criminals, as
evidence suggests that they also created the Netsky worms, and who knows how
many other viruses," says Luis Corrons head of PandaLabs.

The clues to the authors of computers viruses are hidden in the source code,
lines of special characters that to the untrained eye don't make any sense,
but that can disclose a lot of information to the experts at PandaLabs.
"Virus authors usually have delusions of grandeur and therefore don't miss
any opportunity to leave their mark in the viruses they create. However,
this is often their undoing: it can be a date, the name of a city, a
reference to a friend or girlfriend, etc., the slightest clue could be the
key to detaining the author of the virus," explains Corrons.

However, until these delinquents are caught, users should continue to keep
their guard up against the highly probable appearance of new viruses.
Considering how the previous attacks were carried out, it is likely that the
authors of the Sasser and Netsky worms are putting the final touches to an
extremely dangerous malicious code that -as they have done up until now-
they will unleash at the weekend.

More companies and institutions are reporting that they have felt the
effects of Sasser in one way or another. These include Heathrow airport in
London, where one of the terminals was brought to a standstill, some
governmental departments in Hong Kong, as well as the Suntrust Bank and
American Express in the USA.

To mitigate the effects of the Sasser epidemic, Panda Software has made its
PQRemove tools available to users. These applications not only disinfect
computers but also restore system configurations altered by the worm.

One of the PQREMOVE tools is specifically designed for networks, and removes
Sasser and all its variants from any network that could have been affected.
You can download at: http://www.pandasoftware.com/support/

The other PQREMOVE applications can disinfect any computer attacked by any
of the variants of the Sasser worms. You can download at:

User can detect and disinfect the new worm with an up-to-date antivirus, but
it is important to install the Microsoft patch to ensure that Sasser doesn't
re-infect computers. The vulnerability exploited by this worm was reported
by Microsoft recently in bulletin MS04-011
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), along
with the patch. Panda Software has made the updates necessary to its
products available to clients.

Collapse -
Phishing Attacks Skyrocket

In reply to: NEWS - May 6, 2004

Online scams have increased dramatically in the past year, study says.

Paul Roberts, IDG News Service
Thursday, May 06, 2004
A new study by research firm Gartner found that the number of online scams known as "phishing attacks" have spiked in the last year and that online consumers are frequently tricked into divulging sensitive information to criminals.

Long a nuisance, phishing scams have exploded in the past year, Gartner says. The survey results suggest that 76 percent of all known or suspected phishing attacks occurred in the last six months, and 92 percent of known attacks happened in the 12 months preceding the study.

The study, which ended in April 2004, surveyed 5000 adult Internet users and found that around 3 percent of those surveyed reported giving up personal financial or personal information after being drawn into a phishing scam. Phishing scams use e-mail messages and Web pages designed to look like correspondence from legitimate online businesses.

More: http://www.pcworld.com/news/article/0,aid,116007,tk,dn050604X,00.asp

Collapse -
Spammers use free porn to bypass Hotmail protection

In reply to: NEWS - May 6, 2004


Spammers are bypassing a security protection that is designed to stop automated bots from automatically opening Web mail accounts, by offering humans access to free porn.

Free Web mail services such as Hotmail and Yahoo are often used by spammers to send unsolicited emails. But because of the sheer quantity of emails that are sent, spammers require thousands of accounts and employ Web bots to automate the account-opening process.

In order to combat this automation, Web mail companies started using the Captcha test (Completely Automated Public Turing test to tell Computers and Humans Apart), which creates a graphically distorted representation of a simple word that can easily be read by a human but not by a machine. The word is often written in an
unusual font and presented on a patterned background to further confuse the bots.
Collapse -
Hackers access University of California, San Diego server

In reply to: NEWS - May 6, 2004

More than 380,000 students, alumni, applicants and employees of University of California, San Diego were at risk for identity theft after hackers accessed a university server containing names, driver's license and Social Security numbers.

There was no evidence hackers stole personal information, but under state law the university was required to notify those affected that security had been breached, school officials said Thursday.

A hacker broke into four computers in the Business and Financial Services Department and stored DVDs on one of the computers that had been breached.

The break-in was discovered during the weekend of April 16 and UCSD began sending notification letters Wednesday.


Collapse -
NVIDIA firewall certified by ICSA

In reply to: NEWS - May 6, 2004

Collapse -
WinHEC: Microsoft revisits NGSCB security plan

In reply to: NEWS - May 6, 2004

Microsoft is revisiting its Next-Generation Secure Computing Base (NGSCB) security plan because enterprise users and software makers don't want to be forced to rewrite their code to take advantage of the technology, the company said Wednesday.

In response to feedback from users and software makers, Microsoft is retooling NGSCB so at least part of the security benefits will be available without the need tor recode applications, Mario Juarez, a Microsoft product manager, said in an interview Wednesday at the vendor's Windows Hardware Engineering Conference (WinHEC).


Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.