http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=224700541
More information on this latest IM threat. Here is the write-up accordingly: http://www.symantec.com/security_response/writeup.jsp?docid=2010-050209-1610-99&tabid=2 Typical nastiest on the Trojan downloader, Would recommend that you block the domains listed in the article writeup and drop all traffic outbound to them on port 2345 TCP tagged as IRC traffic. It doesn’t look like these domains are fast-flux: Non-authoritative answer: Name: e2doo.org Address: 123.176.40.3 Non-authoritative answer: Name: sls.e2doo.net Address: 216.246.31.107 Country of Origin: USA OrgName: Server Central Network OrgID: SCN-18 Address: 209 W. Jackson Blvd. Address: Suite 700 City: Chicago StateProv: IL PostalCode: 60606 Country: US ReferralServer: rwhois://rwhois.servercentral.net:4321 NetRange: 216.246.0.0 - 216.246.127.255 CIDR: 216.246.0.0/17 NetName: SCN-5 NetHandle: NET-216-246-0-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.SCSERVERS.COM NameServer: NS2.SCSERVERS.COM Comment: RegDate: 2006-01-17 Updated: 2006-09-11 RTechHandle: JL1890-ARIN RTechName: Server Central, Jordan RTechPhone: +1-312-829-1111 RTechEmail: [email protected] OrgAbuseHandle: ABUSE1669-ARIN OrgAbuseName: Abuse Department OrgAbusePhone: +1-312-829-1111 OrgAbuseEmail: [email protected] OrgNOCHandle: NETWO1779-ARIN OrgNOCName: Network Operations OrgNOCPhone: +1-312-829-1111 OrgNOCEmail: [email protected] OrgTechHandle: NETWO1779-ARIN OrgTechName: Network Operations OrgTechPhone: +1-312-829-1111 OrgTechEmail: [email protected] # ARIN WHOIS database, last updated 2010-05-03 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. # # ARIN WHOIS data and services are subject to the Terms of Use # available at https://www.arin.net/whois_tou.html And India: for e2doo.org person: Technical Admin Beam Cable System nic-hdl: TB103-AP e-mail: [email protected] address: Beam Telecom Pvt Ltd address: 8-2-610/A, Road No - 10 Banjara Hills, Hyderabad country: IN phone: +914066272727 changed: [email protected] 20091020 mnt-by: MAINT-NEW source: APNIC EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: John Aldrich [mailto:[email protected]] Sent: Tuesday, May 04, 2010 10:31 AM To: NT System Admin Issues Subject: RE: Yahoo / IM Virus New?? Hopefully Vipre blocks it as well. ☺ From: Garcia-Moran, Carlos [mailto:[email protected]] Sent: Tuesday, May 04, 2010 10:14 AM To: NT System Admin Issues Subject: RE: Yahoo / IM Virus New?? Woot! NOD32 5080 and above is blocking the Worm :0 , We are Saved, Well until someone else clicks on another one From: Angus Scott-Fleming [mailto:[email protected]] Sent: Tuesday, May 04, 2010 9:42 AM To: NT System Admin Issues Subject: Re: Yahoo / IM Virus New?? > So of my users are reporting getting a link to a PHP page in the Yahoo > Chats from Known contacts, once clicked (of course they did) it scans > through their IM contacts and sends the exact link to all of them. Just a > heads up, don’t know if it’s new or not but 1st time I’ve seen it. In case > anyone gets it, ours is like this “foto http bflmages com / images php” add > dot’s and stuff of course In the news right now: Yahoo! Messenger Users Infected By New Worm, Form An IRC Botnet | CyberInsecure.com http://cyberinsecure.com/yahoo-messenger-users-infected-by-new-worm-form-an-irc-botnet/ A new worm is quickly spreading on Yahoo! Messenger (YM) via Web links to fake images. Users who fall victim to this threat have an IRC botnet client installed on their computers. According to security researchers from Vietnam-based antivirus vendor Bkis, who analyzed the new worm, it spreads though YM spam. The malware sends out malicious links of the form http://[rogue_domain_name]/image.php to the entire contact list of any user logged into YM on an infected computer. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-895-3270 Security Blog: http://geoapps.com/ _________________________________________________________ This e-mail, including attachments, contains information that is confidential and may be protected by attorney/client or other privileges. This e-mail, including attachments, constitutes non-public information intended to be conveyed only to the designated recipient(s). If you are not an intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me by e-mail reply and delete the original message and any attachments from your system. _________________________________________________________ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
