Just a thought, but have they looked into whether this isn't just a bunch of
new Vista boxes popping up and communicating with some new default
applications? Of course, that wouldn't make it ok, but it would explain it
and lower the paranoia level a little. Do they have insight into the
affected machines, i.e. can you scan them, actively or passively?
Naturally, I'd suggest implementing a good IDS, to discover more than what
is immediately apparent from perusing the raw pcaps.
-MAB
> Date: Wed, 28 Mar 2007 11:20:12 -0500
> From: Victor Williams <vbwilliams@neb.rr.com>
> Subject: Re: [fw-wiz] FW: OT? New compromise.
> To: firewall-wizards@listserv.cybertrust.com
> Message-ID: <460A95BC.3080604@neb.rr.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Port 1863 is the port for Microsoft's Instant Messenger client
> communications. 1720 is default for LiveMeeting...in later versions
> these two pieces of functionality are integrated together.
>
> It could appear to exist on Linux boxes because of any of a number of
> Instant Messenger clients that come by default. I know GAIM and Kopete
> are included by default with Fedora 4 and later and work with all the
> major IM networks (MSN, Yahoo, ICQ, AIM).
>
> In MS systems, MSN IM client starts itself automatically unless you
> specifically tell it not to. Likewise, even if you tell it not to,
> loading MS Office 2003 or later will re-set it so that it starts
> automatically again.
>
> Jim Seymour wrote:
>
> >The following is a selection of the comments in a thread on another
> >mailing list (which is semi-confidential, so I won't be naming it),
> >with permission from each of the authors to re-post/forward here.
> >
> >(N.B.: Since it's a forward from a semi-confidential mailing list, I'd
> >respectfully request that it not be forwarded elsewhere, tho I fully
> >realize the request certainly isn't enforceable. Thanks.)
> >
> >Anybody recognize this?
> >
> >------------------------- begin included text --------------------------
> >From: Ereshkigal
> >Subject: OT? New compromise.
> >
> >Not exactly spam-related right now, but of fairly major concern.
> >We've been finding it a lot when looking at customers with spammy
> >viruses. A lot of them (currently 95-98%) have some type of services
> >running on ports1720 and 1863 in conjunction. Two weeks ago, we saw
> >it on maybe 1 of 10-15 customers. Over the weekend, it seems to have
> >reached a tipping point. I have no clue what is going on with this
> >and I've been digging into every source that I have.
> >
> >Some of the other ISPs I've talked to, have seen the same trend. It
> >reeks of botnet to me. Currently, it's sitting there silently and
> >this is what worries me. Someone suggested that April 1 would be a
> >good day for chaos.
> >
> >It's invisible on the local machine, cross-platform (both Windows and
> >*nix - confirmed on Fedora Core 4 running nessus and tripwire and
> >neither noticed anything amiss). None of the Windows deep utilities
> >find anything. I have several security sources and none of them have
> >been able to identify it, although traffic is starting to spike across
> >the internet to 1720. Traffic to 1863 has dropped off.
> >
> >Any clues of the chaos to come? It's way too quiet for me and I don't
> >like not knowing what is going on.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|