Re: [fw-wiz] firewall-wizards Digest, Vol 11, Issue 22


Just a thought, but have they looked into whether this isn't just a bunch of
new Vista boxes popping up and communicating with some new default
applications? Of course, that wouldn't make it ok, but it would explain it
and lower the paranoia level a little. Do they have insight into the
affected machines, i.e. can you scan them, actively or passively?
Naturally, I'd suggest implementing a good IDS, to discover more than what
is immediately apparent from perusing the raw pcaps.

-MAB

Date: Wed, 28 Mar 2007 11:20:12 -0500
From: Victor Williams <vbwilliams@xxxxxxxxxx>
Subject: Re: [fw-wiz] FW: OT? New compromise.
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Message-ID: <460A95BC.3080604@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Port 1863 is the port for Microsoft's Instant Messenger client
communications. 1720 is default for LiveMeeting...in later versions
these two pieces of functionality are integrated together.

It could appear to exist on Linux boxes because of any of a number of
Instant Messenger clients that come by default. I know GAIM and Kopete
are included by default with Fedora 4 and later and work with all the
major IM networks (MSN, Yahoo, ICQ, AIM).

In MS systems, MSN IM client starts itself automatically unless you
specifically tell it not to. Likewise, even if you tell it not to,
loading MS Office 2003 or later will re-set it so that it starts
automatically again.

Jim Seymour wrote:

The following is a selection of the comments in a thread on another
mailing list (which is semi-confidential, so I won't be naming it),
with permission from each of the authors to re-post/forward here.

(N.B.: Since it's a forward from a semi-confidential mailing list, I'd
respectfully request that it not be forwarded elsewhere, tho I fully
realize the request certainly isn't enforceable. Thanks.)

Anybody recognize this?

------------------------- begin included text --------------------------
From: Ereshkigal
Subject: OT? New compromise.

Not exactly spam-related right now, but of fairly major concern.
We've been finding it a lot when looking at customers with spammy
viruses. A lot of them (currently 95-98%) have some type of services
running on ports1720 and 1863 in conjunction. Two weeks ago, we saw
it on maybe 1 of 10-15 customers. Over the weekend, it seems to have
reached a tipping point. I have no clue what is going on with this
and I've been digging into every source that I have.

Some of the other ISPs I've talked to, have seen the same trend. It
reeks of botnet to me. Currently, it's sitting there silently and
this is what worries me. Someone suggested that April 1 would be a
good day for chaos.

It's invisible on the local machine, cross-platform (both Windows and
*nix - confirmed on Fedora Core 4 running nessus and tripwire and
neither noticed anything amiss). None of the Windows deep utilities
find anything. I have several security sources and none of them have
been able to identify it, although traffic is starting to spike across
the internet to 1720. Traffic to 1863 has dropped off.

Any clues of the chaos to come? It's way too quiet for me and I don't
like not knowing what is going on.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards