The network worm known as Downadup or Conficker or Kido has been on the lips of the entire information security community for some while now and it has been keeping people busy, including myself. Microsoft published today $250000 bounty on tips/leads leading to arrest and conviction on the person(s) behind the worm. (more…)
I ran into an interesting Zbot sample today. I haven’t peeked at them often and I was surprised to see a big bunch of various poker sites in the configuration as stealing targets. That prompted me to do a quick search on zbots seen in the last few days and I ended up downloading the encrypted configuration files from the C&C servers that I saw were online. 22 of them active :) (more…)
Yup, took this long for someone to start properly abusing the MS08-067 vulnerability. There’s a worm now on the loose that uses the exploit. The worm component comes coupled with a kernel mode DDOS bot that’s been doing the rounds for a while now.
(more…)
This lovely morning saw the first Proof of Concept binaries targeting the English localized Windows OS’s that are vulnerable to the MS08-067. The exploit payload adds the guest account to the administrators group. Still no worm, but one step closer.
“ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.”
Even though Tsastsin complained to Estonian supreme court and is “not guilty” until the verdict is finalized it’ll be fun to see what happens. ESTDomains delivered a document dated to July that Tsastsin is not the CEO anymore. Instead, Konstantin Poltev is marked to be the current CEO. Not sure how far ICANN appreciates the document since the sentence that the Estonian court passed earlier was amongst other thing, for document forgery.
Seems that ESTDomains responded to ICANN and are trying to find a way to stop the de-accreditation. (more…)
I ran into an interesting piece of malware. It basically comes in an .exe wrapper and drops a .bat file that’s about 25kb large. It’s really heavily obfuscated and it can be considered destructive since it deletes document files and does other evil things. (more…)
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
Tears of joy :)
Just took a close look at the winbase.dll variants I have. 5 of them with the following compilation timestamps: (more…)
I decided to take a look at the timeline of Gimmiv trojan component sysmgr.dll. Some of the results were a bit surprising. (more…)