Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: New Threat

  1. #11
    Junior Member
    Join Date
    Feb 2004
    Posts
    25
    Additionally, Cluley says that there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm.
    Could that be why nowbody is seeing much activity.

    http://story.news.yahoo.com/news?tmp...pcworld/116690
    Honesty
    Everyone wants to know it but nobody wants to hear it.

  2. #12
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Geez,

    Lots of noise about this.. but very little tech info..

    Can some one Correct me please.. On the Client side of things, this would make ANY Java enabled Browser on the Win32 platform Vulnerable? or is it just IE...

    too bloody early on a (Working) Saturday Morning..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #13
    I think the media is hyping this one a BIT. From all that I've read on NTBugTraq, Internet Storm Center, and others the only servers vulnerable are the ones NOT patched with the MS04-011 from April. If's that the case than I would hope we aren't hearing much because we have many smart administrators who have applied the April patch...at least I'm hoping that's the case. If not...shame shame shame.

    Originally posted here by Und3ertak3r
    Can some one Correct me please.. On the Client side of things, this would make ANY Java enabled Browser on the Win32 platform Vulnerable? or is it just IE...
    It looks like on Internet Explorer with Javascript enabled is vulnerable...only a few of those huh? (snicker). I actually tested it out on our test hardware while the site was still up found it calls a script which tried to pull up a .CHM file from the Windows directory with some parameter set - it wasn't successfull. I then scanned the PC and found 2 HTM files detected with some sort of Javascript code/trojan. Sorry I dont have the information handy here to give exact details.

    The REAL bad thing I read is that it infects the client PC via some UNPATCHED IE holes! ...anyone betting on new MS IE patch soon?

    This is a rather interesting _new_ (maybe not but recently new) way to infect PCs:
    1) Infect a web server stealthily without alerting administrator
    2) Change web server settings to have it attach malicious code on every page
    3) Have infected client pull up malicious code, in background via hidden IE frame or windows so user doesnt notice, and run it and getting infected with other bad stuff (backdoors, keyloggers, name that malware!)

    And all my users and I want to do is surf the web safely....ha

  4. #14
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected.
    The Macintosh version of Internet Explorer is not affected, nor are non-Microsoft browsers such as Mozilla, Opera and Apple Computer Inc.'s Safari browser, security experts said
    Read it here.

    /me walks away muttering "IE bad...Mozilla good.....IE bad....Opera good....IE bad...."
    Al
    It isn't paranoia when you KNOW they're out to get you...

  5. #15
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    People forget that IE is directly tied to the Windows shell (not that folks in Redmond have always admitted it....). I can see the appeal of IE, but am glad I don't have to sweat stuff like this out with those who actually use it.

    -- bumblehead
    Get OpenSolaris http://www.opensolaris.org/

  6. #16
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    Sorry looks to me like we were had.
    I am not the usually the boy who cryís wolf and would like to offer my apology
    The threat of zero day is real and it looked to me from what I was reading yesterday it had happened
    It now appears that either the ďhigh profile sitesĒ that were hit were bogus or never happened.
    Because
    I canít confirm one site and doesnít it have to run iis?

    Forgive my conspiracy theories but arenít they trying to pass an anti ad ware law right now?
    I hope I am wrong but Iím not holding my breath for that high profile list.
    Please donít be to mad at me people I didnít start it.
    Didnít have to encourage it though until I was absolutely sure. Lesson learned.
    jeremy

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sorry looks to me like we were had.
    I am not the usually the boy who cryís wolf and would like to offer my apology
    The threat of zero day is real and it looked to me from what I was reading yesterday it had happened
    Jeremy, no need to apologize. Computer security is all about knowing there is a threat out there no matter how it occurs and with the information available, (often limited), determining a technique to mitigate it in your own environment. You were far from alone in questioning the existence of another zero day. I, for one, (and I'm sure many here would concur), would rather have you "cry wolf" ten times than not to report a viable threat once. If nothing else you will make us look for evidence that corroborates your warning ourselves.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    The media has done its job..

    Had a pile of machines come in today complaining that they had been hit by this virus..

    hmm
    Comet Curser
    ]CoolWebSearch
    Netsky
    nachi
    PronDialers
    gaobot


    yep they had a virus.. And I removed them.. but none were the one in question..

    what happened to the bleeding edge of virii

    off to ponder other problems..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #19
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    The Internet Storm Center has just posted this information:

    We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username 'IWAP_WWW' added.

    Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find and administrator account with this username.
    Those of you running an IIS Web server may want to have a look.

    Cheers:
    DjM

  10. #20
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I posted this in one of the other threads that were started on this "virus"... It would seem that it is not a self propogating virus, and if you are patched with all of the current patches, you should not have a problem.


    On June 24 2004 Microsoft began investigating a report that some
    customers using IIS 5.0 (Internet Information Services), a component of
    Windows 2000 Server, are being exploited by an issue known as
    Download.Ject. More information is available at
    http://www.microsoft.com/downloadject.

    The Microsoft investigation is active with security response teams
    dedicated to analyzing, resolving and communicating progress to
    customers in a timely manner. It is important to note that thus far in
    the investigation, through alerting customers and partners worldwide,
    Microsoft has been not been made aware of significant customer impact
    based on Download.Ject.

    Microsoft has confirmed that this attack is not self-propagating
    malicious code. In other words, this is not a worm but a targeted
    manual attack by individuals or entities towards a specific server.

    To get the latest information please refer to
    http://www.microsoft.com/downloadject

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •