Last Updated: 2007-04-07 16:19:50 UTC
by Tony Carothers (Version: 2)
We will keep you posted as things progress. I will be sending on what we have discovered as well to MS tomorrow. It is 0130EST right now in the US, I will be passing the findings on to the other Handlers for review and input later this morning.
UPDATE: We are not sure this is related to microsoft's DNS. Based solely on the packets it looks like a dcom exploit against a high number port with shell code in it. The partial packets we received match portions of well known dcom exploits and schoeborn shell code.
The packets begin with this:
05 00 0B 03 10 00 00 00
Which matches several blaster or DCOM sigs
Then some shell code (schoenborn)
04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
UPDATE-2: We are looking at the files involved now, we will keep the diary updated as things develop.