Thanks, I did run into something very similar a couple weeks ago, Symantec missed but now calls cycbot and McAfee first missed but now calls EX1. Copies of shell.exe, svchost.exe, and dwm.exe all living within the user’s profile/temp structure.
Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Ziots, Edward [mailto:[email protected]] Sent: Friday, December 03, 2010 8:20 AM To: NT System Admin Issues Subject: New Malware Targeting Corporate Networks http://blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html Command & Control protocol This backdoor uses HTTP to carry its custom obfuscated protocol. To evade signature-based IPS/IDS, the URLs are generated randomly to be highly dynamic based on the the current time. ( It is tries to evade being seen by IPS/IDS which isn’t a good thing, its targeted in its attack and its developers are smart enough to employ techniques that evade normal IDS/IPS implementations) And its CNC channel is over HTTP therefore without deeper inspection of the http traffic this CNC traffic could defintely be going outbound to the bot-herder, or keeper of the botnet without any other inspection and totally be allowed, which is even scarier. And this is all possible because of drive-by exploits targeting the latest in browser flaws ( IE 0 days). Defintely something that could be lurking in a lot of corporate networks, and with the lack of egress filtering and deeper inspection of outbound packets from the Internal Trust Networks, means a lot of machines could be owned and send corporate data out the pipe without the business never even picking up on it. Food for thought, Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
