Monday, August 15, 2005

McD's Bomber Message Malware:
"Visiting the site redirects to a page 'mc.html' on the same site that attempts to exploit the MS05-038 bug, creating a file called w.hta. Handler David Goldsmith has called upon the Yesnic registry to stop resolving this domain, and the China-Netcom ISP to stop hosting this site, but at the time of this writing, the site is still operational. Organizations may want to consider blocking the site at 210.22.50.80 to prevent click-happy users from infecting their systems."


and further down on the page:

A few salient points regarding the current PnP attack threat:

+ There are lots of additional 'bots' in addition to Zotob, directly targeting systems or making use of prepopulated target lists;
+ Ensure all systems have NULL session disabled to block the current threats;
+ Block TCP/445 ingress and egress whenever possible to stop incoming attacks, and to detect infected systems leaving your network;
+ Do not rely on TCP/33333 FTP service detection to identify compromised systems as this port is not used consistently in later bot variants;
+ Ensure AV signatures are up-to-date;
+ Patch!