To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Please direct all new digests to [EMAIL PROTECTED] rather than this address.
Kindest Regards Asghar Ali (Ash) IM&T Technical Analyst Malware & Risk Management Speacialist N2/N3 Infrastructure Operations Team NHS Connecting for Health Tel: 01392 663 770 Fax: 01392 663 850 Email Address: [EMAIL PROTECTED] Firewall Changes: [EMAIL PROTECTED] www.Connectingforhealth.nhs.uk/igsecurity -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 23 September 2006 05:34 To: [email protected] Subject: botnets Digest, Vol 7, Issue 15 Send botnets mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://www.whitestar.linuxbox.org/mailman/listinfo/botnets or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of botnets digest..." Today's Topics: 1. Re: Possible zero-day exploit? (Noel Bouillet) 2. Re: Possible zero-day exploit? (Gadi Evron) 3. Re: Possible zero-day exploit? (Jeff Kell) 4. Re: Possible zero-day exploit? (Gadi Evron) 5. Re: Possible zero-day exploit? (Eric Sites) 6. Re: Spammed - sorry (Richard Cox) 7. Re: Spammed - sorry ([EMAIL PROTECTED]) 8. Re: Spammed - sorry (Gadi Evron) ---------------------------------------------------------------------- Message: 1 Date: Fri, 22 Sep 2006 11:44:07 -0600 From: Noel Bouillet <[EMAIL PROTECTED]> Subject: Re: [botnets] Possible zero-day exploit? To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" We have found that the problems with IE crashing have been attributed to a problem with users who have the Yahoo toolbar installed. -----Original Message----- From: Alavan [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 6:23 PM To: [email protected] Subject: [botnets] Possible zero-day exploit? To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I work at a Tier 1 ISP (Cox Communications). We are getting slammed with customers calling regarding IE closing right after opening (thousands of calls). Normally this is virus related. I have to look at a machine to see what's going on.... If anyone hears anything...... Regards, Alavan _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4495 bytes Desc: not available Url : http://www.whitestar.linuxbox.org/mailman/private/botnets/attachments/20 060922/a6c80195/attachment-0001.bin ------------------------------ Message: 2 Date: Fri, 22 Sep 2006 13:22:45 -0500 (CDT) From: Gadi Evron <[EMAIL PROTECTED]> Subject: Re: [botnets] Possible zero-day exploit? To: Lawrence Abrams <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 22 Sep 2006, Lawrence Abrams wrote: > This is definitely due to the VML exploit. What you are experiencing may be > hardware DEP blocking the exploit. When DEP blocks the page it will also > crash IE. > > A guide was put up for my members here that gives some information and a > method of protecting yourself from the exploit. > > http://www.bleepingcomputer.com/forums/topic66086.html > > In summary you need to have them unregister the > "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll file using regsvr32. > This will disable VML on the machine and therefore protect against the > exploit. Patch (unofficial) now available: http://www.eweek.com/article2/0,1895,2019162,00.asp http://isotf.org/zert/ > > > > ----- Original Message ----- > From: "Gadi Evron" <[EMAIL PROTECTED]> > To: "Alavan" <[EMAIL PROTECTED]> > Cc: <[email protected]> > Sent: Friday, September 22, 2006 12:28 AM > Subject: Re: [botnets] Possible zero-day exploit? > > > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > ---------- > > On Thu, 21 Sep 2006, Alavan wrote: > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> ---------- > >> Thanks Gadi. I hadn't been checking my [botnet] box, so I missed the > >> discussion. My apologies. Lots of good info there. I just found it > >> bizarre > >> that we began getting flooded for about 2 hours and then it tapered off > >> to > >> almost nothing. I wonder what website/e-mail they're all > >> visiting/clicking > >> on that's getting them in trouble.....if I get any info on this, I'll > >> forward it. > >> > >> Tomorrow morning, I'll be cleaning a customer's PC that was infected. I > >> may > >> or may not get further information. > >> > >> The symptoms were IE closing right after opening. Disabling "Enable 3rd > >> party browser extensions" allows IE to run properly. Another post states > >> that disabling Javascripting does the same. > >> > >> We had probably several hundred trends (customer support reps trending > >> their > >> issue with the customer) between 3:30pm and 5:00pm PST and then it > >> started > >> tapering off. > > > > Other ISPs are also reporting massive floods of their tech support > > lines. The hours can be explained by "leaving work" and going home, but I > > am not sure. > > > >> > >> Alavan > >> > >> > >> ----- Original Message ----- > >> From: "Elia Florio" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Thursday, September 21, 2006 5:49 PM > >> Subject: Re: [botnets] Possible zero-day exploit? > >> > >> > >> > Your symptoms look very similar to the recent VML 0day exploit for IE. > >> > Any sample/page to submit? Any URL to analyze? > >> > > >> > EF > >> > > >> > ----- Original Message ----- > >> > From: "Alavan" <[EMAIL PROTECTED]> > >> > To: <[email protected]> > >> > Sent: Friday, September 22, 2006 2:22 AM > >> > Subject: [botnets] Possible zero-day exploit? > >> > > >> > > >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> >> ---------- > >> >> I work at a Tier 1 ISP (Cox Communications). We are getting slammed > >> >> with > >> >> customers calling regarding IE closing right after opening (thousands > >> >> of > >> >> calls). Normally this is virus related. I have to look at a machine to > >> >> see what's going on.... > >> >> > >> >> If anyone hears anything...... > >> >> > >> >> Regards, > >> >> > >> >> Alavan > >> >> _______________________________________________ > >> >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> >> All list and server information are public and available to law > >> >> enforcement upon request. > >> >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > >> >> > >> > > >> > > >> > >> _______________________________________________ > >> To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > >> All list and server information are public and available to law > >> enforcement upon request. > >> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > >> > > > > _______________________________________________ > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > > All list and server information are public and available to law > > enforcement upon request. > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ------------------------------ Message: 3 Date: Fri, 22 Sep 2006 15:31:32 -0400 From: Jeff Kell <[EMAIL PROTECTED]> Subject: Re: [botnets] Possible zero-day exploit? To: Gadi Evron <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 Gadi Evron wrote: > Patch (unofficial) now available: > http://www.eweek.com/article2/0,1895,2019162,00.asp > http://isotf.org/zert/ Is this a "patch" or just setting the killbit on the object? Jeff ------------------------------ Message: 4 Date: Fri, 22 Sep 2006 15:07:22 -0500 (CDT) From: Gadi Evron <[EMAIL PROTECTED]> Subject: Re: [botnets] Possible zero-day exploit? To: Jeff Kell <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 22 Sep 2006, Jeff Kell wrote: > Gadi Evron wrote: > > Patch (unofficial) now available: > > http://www.eweek.com/article2/0,1895,2019162,00.asp > > http://isotf.org/zert/ > > Is this a "patch" or just setting the killbit on the object? No. It unregisters the DLL, replaces the Microsoft function, and registers the new DLL. > > Jeff > ------------------------------ Message: 5 Date: Fri, 22 Sep 2006 16:44:02 -0400 From: Eric Sites <[EMAIL PROTECTED]> Subject: Re: [botnets] Possible zero-day exploit? To: Jeff Kell <[EMAIL PROTECTED]>, Gadi Evron <[EMAIL PROTECTED]> Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" A real patch... -----Original Message----- From: Jeff Kell [mailto:[EMAIL PROTECTED] Sent: Friday, September 22, 2006 3:32 PM To: Gadi Evron Cc: [email protected] Subject: Re: [botnets] Possible zero-day exploit? To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Gadi Evron wrote: > Patch (unofficial) now available: > http://www.eweek.com/article2/0,1895,2019162,00.asp > http://isotf.org/zert/ Is this a "patch" or just setting the killbit on the object? Jeff _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ------------------------------ Message: 6 Date: Fri, 22 Sep 2006 22:38:42 +0000 From: Richard Cox <[EMAIL PROTECTED]> Subject: Re: [botnets] Spammed - sorry To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="US-ASCII" On Fri, 22 Sep 2006 09:07:05 -0500 RL Vaughn <[EMAIL PROTECTED]> wrote: > Looks like some filter slipped. > I will see if we can tighten up the filters. Like ... reject all mail sent in the future ? -- Richard Cox <[EMAIL PROTECTED]> ------------------------------ Message: 7 Date: Fri, 22 Sep 2006 21:47:33 -0400 From: <[EMAIL PROTECTED]> Subject: Re: [botnets] Spammed - sorry To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" In light of recent litigation, I might be inclined to recommend that folks ban all emails from spamhaus.org or from anybody that appears to be sending from spamhaus.org. >From the mail headers: mail.amigostecnicos.net (amigostecnicos.net [209.151.108.130]) Keith. -----Original Message----- From: Richard Cox [mailto:[EMAIL PROTECTED] Sent: Friday, September 22, 2006 6:39 PM To: [email protected] Subject: Re: [botnets] Spammed - sorry To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Fri, 22 Sep 2006 09:07:05 -0500 RL Vaughn <[EMAIL PROTECTED]> wrote: > Looks like some filter slipped. > I will see if we can tighten up the filters. Like ... reject all mail sent in the future ? -- Richard Cox <[EMAIL PROTECTED]> _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ------------------------------ Message: 8 Date: Fri, 22 Sep 2006 22:43:45 -0500 (CDT) From: Gadi Evron <[EMAIL PROTECTED]> Subject: Re: [botnets] Spammed - sorry To: [EMAIL PROTECTED] Cc: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII On Fri, 22 Sep 2006 [EMAIL PROTECTED] wrote: > In light of recent litigation, I might be inclined to recommend that folks > ban all emails from spamhaus.org or from anybody that appears to be sending > from spamhaus.org. > > >From the mail headers: > mail.amigostecnicos.net (amigostecnicos.net [209.151.108.130]) I almost didn't approve your email message. Then decided I hate censorship. Now, I allowed it through, but that does not mean I will let your lack of understanding and complete spread of libel spoo and spew against spamhaud stand Don't spread lies and don't attack people liek spamhaus before you go and do on your own. And you dare attack Richard of all people? For those interested in what really happened, check spamhaus's site for news on the spammer suing them with, in my opinion, no shame. Keith, if that is your real name, you may be an inncoent bystander who fell for spammer lies, but you spread them further attacking others which has no real excuse. Gadi. > > -----Original Message----- > From: Richard Cox [mailto:[EMAIL PROTECTED] > Sent: Friday, September 22, 2006 6:39 PM > To: [email protected] > Subject: Re: [botnets] Spammed - sorry > > > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > On Fri, 22 Sep 2006 09:07:05 -0500 > RL Vaughn <[EMAIL PROTECTED]> wrote: > > > Looks like some filter slipped. > > I will see if we can tighten up the filters. > > Like ... reject all mail sent in the future ? > > -- > Richard Cox <[EMAIL PROTECTED]> > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > ------------------------------ _______________________________________________ botnets mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets End of botnets Digest, Vol 7, Issue 15 ************************************** _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
