The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – MS05-051 (MSDTC) Malware / Port 1025

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 15th 2005

MS05-051 (MSDTC) Malware / Port 1025 (NEW)

Published: 2005-12-15,
Last Updated: 2005-12-15 16:04:03 UTC by Daniel Wesemann (Version: 1)

A blog entry over at F-Secure mentions a new piece of malware dubbed “Dasher.A” that is trying to exploit the MS05-051 aka MSDTC vulnerability. The spreading mechanism seems to be very unreliable, but likely explains the surge in Port 1025 traffic we’ve seen recently . The captured packets look a lot like what the MS05-051 POC exploit posted at FrSIRT.com would cause.  [Thanks to Juha-Matti and David for reporting this.]

Update 15:27 UTC: Georg Wicherski from the German Honeynet Project has successfully captured the full exploit, including payload, on one of these tcp/1025 attacks. The payload will be called Dasher.B by F-Secure – and unlike the .A variant, this one does work, and drop a keylogger. Georg is planning to update mwcollect with MS05-051 detection and capture code over the next days.
Advertisements

December 15, 2005 - Posted by | Antivirus News, Security News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: