Sandboxing and CSA Advisory
I spent a few hours playing with my sandbox tonight, and found these C&C's:
x.fuckunion.com (GET /adswin//adsupdate.asp?ver=2007010300 HTTP/1.1)
http://208.72.169.22:4099 (GET /g/A39F4B-796773-3A00DD HTTP/1.1)
traff.justcount.net GET /t/d2hsdWF3OzJ0OHY5Oj0................cKEwkcVA8KCwEL/count.htm HTTP/1.1
208.72.169.55 (POST /login.php HTTP/1.0)
s2.truth-is-out-there.org (GET /?name= HTTP/1.1) -> f6.thezirius.com (GET /?feed=1&name= HTTP/1.1)
barragames1.sslpowered.com (POST /jogador/infe.php HTTP/1.0)
www.samedi.org (POST /syls/SAICOX.cgi HTTP/1.1)
IRC: Undernet.org:6665, Chan: #sefutemata69 Chankey: disc
----
Earlier this afternoon Cisco released an advisory about their Security Agent (CSA). At this time there is no public exploit, however I am sure that will change over the next few days.
It appears that CSA is vulnerable to specially crafted overflows on the SMB ports (139/445). The advisories reference BSOD's and possible code execution. Its never good when a security application comes up on the CVE list. Be sure you update your CSA as soon as possible.
x.fuckunion.com (GET /adswin//adsupdate.asp?ver=2007010300 HTTP/1.1)
http://208.72.169.22:4099 (GET /g/A39F4B-796773-3A00DD HTTP/1.1)
traff.justcount.net GET /t/d2hsdWF3OzJ0OHY5Oj0................cKEwkcVA8KCwEL/count.htm HTTP/1.1
208.72.169.55 (POST /login.php HTTP/1.0)
s2.truth-is-out-there.org (GET /?name= HTTP/1.1) -> f6.thezirius.com (GET /?feed=1&name= HTTP/1.1)
barragames1.sslpowered.com (POST /jogador/infe.php HTTP/1.0)
www.samedi.org (POST /syls/SAICOX.cgi HTTP/1.1)
IRC: Undernet.org:6665, Chan: #sefutemata69 Chankey: disc
----
Earlier this afternoon Cisco released an advisory about their Security Agent (CSA). At this time there is no public exploit, however I am sure that will change over the next few days.
It appears that CSA is vulnerable to specially crafted overflows on the SMB ports (139/445). The advisories reference BSOD's and possible code execution. Its never good when a security application comes up on the CVE list. Be sure you update your CSA as soon as possible.
Labels: C and C, Cisco, malware research, Sandbox
posted by Nicholas at
04:14
0 Comments
