[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] New Sasser variant?



Well, since it took a few days for this to hit the forum, a lot more
information has come out.  Looks like a combination of a few things, and
get ready world, it's a lot of fun to clean up after.  Key to it
all...Patch Management 101.  Due to acquisitions of companies and
outside vendors dropping in to say "hi", you'll find you can't get it
all, but containment isn't to far off.

Large growth in Korgo virus:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9
69764,00.html?track=NL-358&ad=484914

The smsc.exe variant trojan
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
name=WORM_AGOBOT.WF

>From the looks of our infection, we had Sasser and RPC to get in, then
we had the Trojan irc bot trying to get out and something doing mass
SNMP gets to all devices.  Everything was contained to an internal class
B network except for the irc bot.  The Sasser signature is what
triggered very high, other signatures won't be near as high as they are
backups to the first method of entry.

We had a small infestation and got lucky (about 40 machines out of
7000+), but we did need to drop each machine to safe mode and off
network to patch and clean, meaning many man hours and lots of remote on
the phone with non IT people (FUN!).

Thanks, till next time!
Erin


-----Original Message-----
From: InfoSec 
Sent: Thursday, June 10, 2004 5:14 PM
To: issforum@xxxxxxx
Subject: [ISSForum] New Sasser variant? 

Is anyone else experiencing large amounts of traffic that appears as
Sasser, then turns into an ircbot.trojan named smsc.exe

connecting on port 6667, then performs HUGE amounts of SNMP get
requests? <grin>  I am, and very few people seem to have any

clue what this is...Virus companies are jumping around trying to define
and be first in line with a solution, I just wondered if

anyone on this forum has seen it yet?

 

ISS sigs triggering thus far are:

 

MSRPC_LSASS_Bo

TCP_Network_Scan

MSRPC_LSASS_Request_Detected

Microsoft_Windows_Shell_Banner

 

(others have been turned off due to sheer volume)

 

Thanks,

Erin

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.