Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: ISC Reader's Diary, PHP Include Worm, Trojan in wild that exploits new IE bug , Pacific Earthquake & Tsunami - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Reader's Diary, PHP Include Worm, Trojan in wild that exploits new IE bug , Pacific Earthquake & Tsunami
ISC Reader's Diary

We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.


Please submit entries to newyear@isc.sans.org by Jan. 2nd 1200hrs GMT to be added to the diary.

PHP Include Worm

It seems I came back from the holiday with the same mess on the Internet that was there when I left. Various forms and copycats of PHP Include worms are out there, and the AV vendors have adopted other nomenclatures to these variants due to the differences between this and the Santy strains. K-Otik has a write-up here: http://www.k-otik.com/news/20041226.PhpIncludeWorm.php

I imagine this will persist as long as people have vulnerable PHP installations out there and do not upgrade, however the methodology of detecting vulnerable machines will continue to change over time.

Trojan in wild that exploits new IE bug

OOPS! Update (by TL, 20:00 GMT):

Looks like we might have mis-spoken on this one. Earlier versions of the diary said that Trojan.Phel.A didn't affect WinXP SP2, but it appears that it
only affects that platform. Also, despite what we said, this really didn't tie into the vulnerabilities discussed in the December 23rd diary... Dang. Strike two! Bad Handlers! BAAAAAD Handlers... no donut! (Thank you, James, for pointing that out!)



Symantec has released an alert on the first exploit out there, Trojan.Phel.A. More here: http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html and
http://freehost07.websamba.com/greyhats/sp2rc-analysis.htm

Thanks to Chris Mosby for the link.

Pacific Earthquake & Tsunami

Our condolences to any affected by the tragedy in South Asia with the earthquake and resulting tsunami.
----

bambenek /at/ gmail -dot- com
John

248 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!