Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: [SECURITY] MyDoom backdoor scanning on the rise
- From: Howell, Paul
- Date: Mon Feb 09 14:59:24 2004
-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY@LISTSERV.EDUCAUSE.EDU]On Behalf Of REN-ISAC
Sent: Monday, February 09, 2004 1:31 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: [SECURITY] MyDoom backdoor scanning on the rise
Dear all,
Underscoring the need to get those MyDoom infections cleaned up...
MyDoom.A[1], aka W32.Novarg.A, installs a proxy that allows TCP connections
on a port in the range of 3127 to 3198. The backdoor permits an attacker to
download and execute arbitrary files on an infected machine. MyDoom.B[2]
similarly installs a proxy that listens on TCP ports including 3128. A new
worm known as Deadhat[3], aka Vesser, exploits the MyDoom.A and B backdoors
and is now loose in the wild. Deadhat was first seen February 7th. We're
seeing a corresponding rise in scanning for port 3127 on Abilene. The
attached document shows graphs of packet counts seen on Abilene router ACLs
and flows seen in Abilene NetFlow data. Current activity against the router
ACL counters can be viewed on the REN-ISAC web page:
http://ren-isac.net/.
Regards,
Doug Pearson
REN-ISAC
http://ren-isac.net
24x7 watch desk: (317)278-6630
ren-isac@iu.edu
---
[1] W32/Novarg.A Virus
http://www.cert.org/incident_notes/IN-2004-01.html
[2] W32/MyDoom.B
http://www.us-cert.gov/cas/techalerts/TA04-028A.html
[3] W32.HLLW.Deadhat, aka Vesser
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.htm
l
http://www.f-secure.com/v-descs/vesser.shtml
-o0o-
**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
mydoom_backdoor_scanning_20040209.pdf
Description: Adobe PDF document
|
