Information Exchange Among FIRST members

1. Information Exchange Among FIRST members DamirRajnovic <gaus@cisco.com>

2. FIRST - a global organization Forum for Incident Response and Security Teams - FIRST

3. FIRST Vision and Mission Vision FIRST is a premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents by providing access to best practices, tools, and trusted communication with member teams. Mission Statement FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs. FIRST members develop and share technical information, tools, methodologies, processes and best practices FIRST encourages and promotes the development of quality security products, policies & services FIRST develops and promulgates best computer security practices FIRST promotes the creation and expansion of Incident Response teams and membership from organizations from around the world FIRST members use their combined knowledge, skills and experience to promote a safer and more secure global electronic environment.

4. What FIRST offers Training and education Place to meet your peers Trusted forum to exchange information Place to ask questions and be informed on what is happeneing

5. Reports on new malware "Hostile" .pdf functionality observed in #3 below compliments of the Adobe 2009 Christmas "Bonus". Drops C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\wininit32.exe MD5: 3022d0030732ae273538def0cd32680a Upon execution, wininit32.exe then drops: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\wininit.dll And calls home to ”<host>.live-msn.net" on TCP/8080 (perhaps the MSFT folks here would like to do something about that ;) ) Fortunately, the following /32 doesn't appear to be listening on TCP/8080 right now AS | IP | AS Name 4xx7 | x.y.74.24 | <REMOVED> Networks Inter-Exchange

6. Phishing attacks Subject: Sustained large scale phishing attack now using VOIP Hi first-teams, Just a heads up on some ongoing, and now increasing, activity we are seeing here. There has been a sustained phishing attack against <COUNTRY> largest bank (The Bank) which has reached some pretty impressive (depressing?) levels for the past few weeks. Some stats given to us on the numbers seen: "So actually in the last 7 days we've received approx 71 000 emails for The Bank phishing (out of approx 238 000 spams at that level). So about 30% of all spams coming in at that level of detection are The Bank phishers!"

7. DNS Amplification This morning we've seen quite an uptick in DNS amplification attacks to open recursive resolvers (sigh) using the TXT records from <site>.info. Those of you who have technology to look for that in packets may want to have a peek. ;-) 2009-04-DD HH:53:58.506 UTC+0200 is the start time here -- out of curiosity can you share the (presumably spoofed) IP address which was making the queries and thus getting the packet love? I'd like to check our own data to see if the attack passed through here as well.

8. DNS Attacks We see these queries beginning on or about 2009-03-DD HH:09:23 UTC. At that time, the TXT RR was: aaaaaa….aaaaaaaaaaabbbbb….bbbbbbbbbbbbbcccccc….ccccccccccccc On or about 2009-04-DD HH:00:08 UTC the TXT RR changes to: <host1>.net Note that <host2>.info is an alias for <host>.net. We've not yet identified the malware responsible for the queries. Note that the IP to which both <host2>.info and <host>.net resolve, x.y.47.91, has hosted badness in the past. This may not be related, of course. AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name 3xx6 | x.y.47.91 | x.y.0.0/18 | US | arin | 2006-08-25 | <removed> 2009-02-DD HH:14:57 UTC x.y.47.91 TCP 80 httpbot www.<host>.info [ ... ] 2009-03-DD HH:09:03 UTC x.y.47.91 TCP 80 httpbot www.<host>.info

9. Suspicious packets HH:57:25.033496 42:74:21:74:0:21 0:1:2:da:a2:8e 8100 64: 802.1Q vlan#993 P0 255.255.255.255.80 > x.y.92.64.5786: R [tcp sum ok] 0:0(0) ack 1157431297 win 0 (ttl 239, id 44289, len 40) 0x0000 03e1 0800 4500 0028 ad01 0000 ef06 f5ac ....E..(........ 0x0010 ffff ffff xxyy 5c40 0050 169a 0000 0000 ......\@.P...... 0x0020 44fd 0001 5014 0000 2ac7 0000 8dec 7085 D...P...*.....p. 0x0030 5a9f Z. 16:57:27.331273 42:74:21:74:0:21 0:1:2:da:a2:8e 8100 64: 802.1Q vlan#993 P0 255.255.255.255.80 > x.y.88.203.27866: R [tcp sum ok] 0:0(0) ack 315752449 win 0 (ttl 49, id 5565, len 40) 0x0000 03e1 0800 4500 0028 15bd 0000 3106 4e67 ....E..(....1.Ng 0x0010 ffff ffff xxyy 58cb 0050 6cda 0000 0000 ......X..Pl..... 0x0020 12d2 0001 5014 0000 0a27 0000 e301 0000 ....P....'...... 0x0030 0054 .T

10. Abused proxies Next, is a list of 3,434 abused proxies sorted by ASN. These have been supposedly verified in the last 3 days. Please take the time to look for your ASN and also at the end for MultipleOrigin entries: AS | IP:PORT X | x.y.249.2:80 X | x.y.249.34:80 X | x.y.255.7:8080 Y | x.y.0.190:3128 Y | x.y.2.87:80

11. Denial-of-Service attacks Subject: 6GB-20GB DDOS attack heading near you! 122k attacking IPs, please read [....] Each day, at around the same time, several DNS TXT queries are sent to a series of 122,000 DNS servers (up from 87,000 a few days ago, and 55,000 at last count from <PROVIDER>). [....] The sources are always spoofed and are varying from day to date. The latest sources were primarily within the following prefixes: x.y.64.0/24 x.y.81.0/24 ….