BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2003-Oct-1 3:03 pm
Somethings changing DNS valuesSomething to watch for
http://article.gmane.org/gmane.comp.security.ntbugtraq/974
We've spotted a few of these hosts already and are finding more. The two IP's used as replacements are.
216.127.92.38 and 69.51.146.14
The malware makes the following registry changes as well.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I nter
faces\windows]
"r0x"="your s0x"
"NameServer"="69.57.146.14"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\I nter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
"T2"=dword:3e057410
"LeaseTerminatesTime"=dword:3e067130
"LeaseObtainedTime"=dword:3dfe8830
"T1"=dword:3e027cb0
"NameServer"="69.57.146.14"
As Russ said in the post I linked. I'll post more when I know more. Watch your flows for connections to these hosts (udp 53)
Cheers, -BeesT |
|
|
borvOnemhz On Aim join:2000-10-06 Astoria, NY |
borv
Member
2003-Oct-1 3:05 pm
yes - i jsut received an alert on this from one of the vendors my employer works with. Interesting... Lets see if it spreads. |
|
|
to BeesTea
» www.ntfs.org/forum/showt ··· id=39203» www.security-forums.com/ ··· ?p=58506Took me by surprise. I guess thats what you get when you sleep half the day away |
|
BubbaGIT-R-DONE MVM join:2002-08-19 St. Andrews |
to BeesTea
said by BeesTea: Something to watch for
Makes me dizzy |
|
catseyenuAck Pfft Premium Member join:2001-11-17 Fix East |
to BeesTea
|
|
borvOnemhz On Aim join:2000-10-06 Astoria, NY |
to BeesTea
hta sploit - which reminds me MS03-032 didnt quite "work" fully, M$ was supposed to re-release it so that it covered more vulnerabilities. Does the current MS03-032 cover HTA vulnerabilities? |
|
catseyenuAck Pfft Premium Member join:2001-11-17 Fix East |
said by borv: hta sploit - which reminds me MS03-032 didnt quite "work" fully, M$ was supposed to re-release it so that it covered more vulnerabilities. Does the current MS03-032 cover HTA vulnerabilities?
Not enough to prevent this. » vil.nai.com/vil/content/ ··· 0719.htm |
|
Doctor FourMy other vehicle is a TARDIS Premium Member join:2000-09-05 Dallas, TX |
to BeesTea
A few weeks ago, there was an article over at Spyware Info linking to a security site (www.secunia.com) that tested for this exploit. The article said that the hole was being actively exploited by some spyware and hijackers. The test is at this page: » www.secunia.com/MS03-032/Secunia recommended turning off ActiveX or using a browser that was unaffected by the exploit, such as Mozilla. I think I've found a workable solution where I don't have to stop using IE or turn off ActiveX, and that is to permanently block Internet access to or from MSHTA.exe using Zone Alarm. Is this going to be sufficient, or should I download and install HTAStop as an additional security measure? |
|
catseyenuAck Pfft Premium Member join:2001-11-17 Fix East |
This is exactly what Kevin and Nancy have developed HTAstop for. Easy off/on if you need it. More: » www.nsclean.com/htastop.html |
|
1 recommendation |
to BeesTea
The best and most securest way to prevent the is to change the ACLs on [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to everyone read Administrator read, modify
And stop logging in as administrator.
I know people like to blame Microsoft for all the holes in it operating system, but as a security expert witch is an MCSE, CNA, CUSA, LPI, CCNA, and CISSP certified I have a lot of work with all operating systems from small networks to large enterprise 1000+ machine infrastructures, and Im telling you all this know. Do not believe people when they try to tell you that UNIX, and Linux is more secure, because its not. Microsoft has %93 of the market and Apple has %3 the last %4 belong to Linux and UNIX. Now Microsoft by default has configured the OS to be in a Domain and to get all its GPOs and Configs from the domain controllers. If you are in a domain thats setup right and youre not running as enterprise administrator you will never had a problem.
Lets talk about UNIX, Linux for a moment they both force you not to run as ROOT. And if you know UNIX you know what a pain it is to run under a user but nothing can be modified, thats why they say UNIX is more secure, but wait same with Microsoft everyone try this log in as a user and start changing this and install some apps
its not going to happen, so if you cant install apps the how are worm and viruses going to run they cant.
But I know what youre all saying WHAT ABOUT THE RPC VALNERABILITY because that was just sloppy coding, but you all have to realize that the code was carried on from NT 4.0 which was written back in 1996 I think and back then security wasnt there big focus and another thing if Microsoft made there OS perfect the industry would fall and fall fast |
|
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2003-Oct-2 11:07 am
No one mentioned anything about any other OS. Go sell your religion somewhere else. This was a technical thread.
-BeesT |
|
|
The point
Anon
2003-Oct-2 11:37 am
Was his point (powercomp) that an XP user running under a "limited" account would not be vunerable?
If this was his point, can anyone confirm this? |
|
PeeWee Premium Member join:2001-10-21 Madera, CA |
to BeesTea
said by BeesTea: No one mentioned anything about any other OS. Go sell your religion somewhere else. This was a technical thread.
-BeesT
His point was well made and his additional comment on Unix was on the point also. No one else made the comment that Unix was better only as a matter of opportunity. Someone would have eventually, as always. He might not see it later and the remark would be left uncontested. You see, I feel that the claims made by Unix users as offensive as you may find his. |
|
PeeWee |
to catseyenu
said by catseyenu: This is exactly what Kevin and Nancy have developed HTAstop for. Easy off/on if you need it. More: »www.nsclean.com/htastop.html
I've looked at the site, it says it's for everything else, but does not mention XP Pro. Will it work on XP? |
|
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000
|
to PeeWee
said by PeeWee:
You see, I feel that the claims made by Unix users as offensive as you may find his.
They were'nt offensive, just completely offtopic and irrelivent. To argue that it is on-topic is silly. Should every thread become a commercial just because someone *may* say something? That's ridiculous at best. -BeesT |
|
PeeWee Premium Member join:2001-10-21 Madera, CA |
to BeesTea
I don't want to crap this thread. What he gave was good information that almost no windows user would complain about. Linux and Unix users make similar claims so often that it would be automatic to wonder if this was a solution. Same kind of comment was, and is being made about other supposed solutions. Incontrovertible, related facts are not off topic. If you're talking about a windows problem, then how can the point about a different OS not being the solution be off topic? I will not discuss this further here you can IM me. |
|
catseyenuAck Pfft Premium Member join:2001-11-17 Fix East |
to PeeWee
Okay, I've some backpedaling to do. Heard back from the developer of HTAstop. HTAstop does not stop this one though it does stop others. quote: ... not THAT particular one since it's not HTA that's behind *THAT* one. However, there's literally hundreds of HTA exploits being played and it does help there. For THIS one though, the ONLY solution is for Microsoft to fix their bugs. So far, they won't." »www.techworld.com/news/i ··· wsid=503
Sorry about that. |
|
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
BeesTea
Premium Member
2003-Oct-5 1:08 am
|
|