Thursday, April 15, 2010

DIR ADVISORY

DIR ADVISORY-- W32.Qakbot Worm , Compromised FTP sites and Government Systems

DIR has been made aware of some FTP servers, located in the US and abroad that have received keystroke logging data files from infected systems.
W32.Qakbot, first identified in May 2009, is a worm that spreads through network shares. It downloads additional files, steals confidential information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence.  Most, if not all, updated Anti-Virus solutions prevent this year-old worm from infecting systems.
The worm spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer. Many of the infections are aided by users unwittingly clicking on malicious links. The worm also spreads through network shares by copying itself to shared folders when instructed to by a remote attacker.
While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. W32.Qakbot is capable of gathering a number of different kinds of information, including the following confidential information:
  • Authentication cookies, including Flash cookies
  • DNS, IP, hostname details
  • OS and system information
  • Geographic and browser version information
  • Keystrokes including login information
  • Login details for FTP, IRC, POP3 email, and IMAP email
  • Outlook account information
  • Private keys from system certificates
  • Login credentials for certain websites
  • URLs visited
1.      PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.

1.1  Update and enable Anti-virus software
A first line of defense; organizations and users are encouraged to review the details outlined in this advisory, update anti-virus versions and definitions, and ensure that anti-virus software is actually enabled and working.

1.2 Patch Operating System and Software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of patches for the following vulnerabilities will reduce the risk to your computer.
1.3 User Behavior and Precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disable the execution of JavaScript in client applications to prevent execution of unwanted scripts.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.

1.4 Address Blocking
Block access to the following addresses using a firewall or router, or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

  • A[.]rtbn2[.]cn
  • adserv[.]co[.]in
  • c[.]rtbn2[.]cn
         gator862[.]hostgator.com
         ftp[.]5150[.]clanservers[.]com
  • ftp[.]abid.co[.]cc
  • ftp[.]buldrip.com
  • ftp[.]dfarchs[.]com
  • ftp[.]fantasyworldtravel[.]net
  • ftp[.]successful-marketers[.]com
  • hostrmeter[.]com
  • nt002[.]cn
  • nt010[.]cn
  • nt202[.]cn
  • up002[.]cn
  • up004[.]cn
  • uu002[.]cn
  • w1[.]webinspector[.]biz
  • web192[.]ixwebhosting[.]com
  • www[.]cdcdcdcdc212121cdsfdfd[.]com
  • www[.]cdcdcdcdc2121cdsfdfd[.]com
  • zenpayday[.]com
  • zurnretail[.]com

1.5 Network Port Blocking
Some of the vulnerabilities used to compromise computers have been known to use a TCP port between 16666 and 16669 to spread. Blocking this port range at the network perimeter may help to reduce the risk to your computer.


1.6 Network Shares
This threat is also known to spread inside networks by using shares. The following steps can help protect your computer against this threat:
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital and lowercase characters, along with one or more symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
  • Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
IMPORTANT:  If a state system has been determined to have been infected with this worm, please notify DIR Security immediately: dir.security@dir.state.tx.us
In a related action, DIRimplemented blocking of all traffic destined to the following IP addresses, as noted in an earlier NSOC Blocking Notice :
206.188.193.195

174.120.28.2

12.97.188.57

 62.204.145.206 

 66.55.132.6

Security Incident Reporting Instructions:
Note: The 24/7 emergency number for the Security Office is 512-350-3282.
The secondary contact is Kevin White, 512-463-7189 (office) or 512-762-3172 (cell).
DIR Security

23 comments:

  1. Thank you for the good article.
    I totally agree. I have experienced the similar situation in my work system. It has caused many issues and data loss. Since that time we use data room service providers in order to prevent such problems from happening.

    ReplyDelete
    Replies
    1. pour-over–quality coffee but the convenience of a one-button machine, we recommend the OXO Brew 9 Cup Coffee ... Drip best coffee makers · Ninja Hot & Cold Brew System · Breville Precision Brewer · Bonavita BV1900TS · Technivorm Moccamaster KB 741.

      Delete
    2. best wireless earbuds workout earbuds: Jabra Elite Active 75t; Jaybird Vista; Bose Sport Earbuds; Beats Powerbeats Pro; Anker SoundCore Apple, Sony, Bose, Anker, and more, across a range of budgets, these are the seven best true wireless earbuds in 2021.

      Delete
    3. Best Wi-Fi routers under Rs 2,000 for small homes · best router give you Internet speeds up to 300Mbps · Best WiFi Routers Updated 2021 this router can be expanded via Asus' AiMesh that allows additional Asus routers Editors choice: NETGEAR Nighthawk X6S AC4000 Tri-band WiFi Router ·

      Delete
    4. 4 slice toaster from Russell Hobbs. Thanks to Faster best toasters Technology which uses a powerful heating. Best 4-Slice Toasters at a Glance · Best Overall: Cuisinart 4-Slice Metal Classic Toaster · Best Rated: Sencor Stainless Steel 4-Slice Toaster · Best Toasters in 2020 - Top Toaster Picks

      Delete
    5. Best - Kitchen Faucets: we've got it. Take advantage of unbeatable inventory and prices from Quebec's expert in construction & renovation. Online shopping for modern best kitchen faucets : bronze, brass, stainless steel, brushed nickel, white.

      Delete
  2. "The worm spreads by exploiting vulnerabilities when a user visits certain Web pages. Exploit code hosted at these remote locations downloads the threat on to the compromised computer."

    Very good words.
    Thank y for great blog.
    security-online.net

    ReplyDelete
  3. I am happy to this blog site giving one-of-a-kind and also useful knowledge concerning this topic. smsf advisory

    ReplyDelete
  4. Nice post . This post was very useful for me . I got many information from this post . click this

    ReplyDelete
  5. We provide cheap golf products. On some products have discount offer. If you buy two golf product you will get one product free. These products are light in weight. Quality of these products are good. Here you will find all sizes of golf product. For more information you can visit on our website click this

    ReplyDelete
  6. We provide cheap theme and plugin. On some paid theme and plugin have discount offer. If you buy two theme and plugin you will get more discount. Here you will find free theme and plugin. Design of free theme and plugin are good. For more information you can visit on our website click this . We also provide wp rocket plugin click this

    ReplyDelete
  7. We do SEO to increase website rank in google search engine. It give a boost energy to website in google search engine. We make backlinks on high DA and PA website. We follow the guidelines of google search engine. For more information you can visit on our website click this . We also give tips of how to start a blog and earn money click this

    ReplyDelete
  8. We provide cheap paddle boards. On some paddle boards have discount offer. These paddle boards are light in weight. Quality of these paddleboards are good. Here you will find all sizes of paddle boards. For more information you can visit on our website click this

    ReplyDelete
  9. Nice post. This post was very useful for me . I got many information from this post. Thanks for share this post with us. I have noted some important points in my notes book. All the content in this post are good. This post was readable. click this

    ReplyDelete
  10. We provide free and paid hosting . On some paid hosting have discount offer. If you buy two hosting you will get more discount. You can use free hosting for maximum one year. After one year you have to pay for continuous. Speed of free hosting is very fast. We also provide share hosting and cloud ways hosting . Both hosting are best for your website. For more information you can visit on our website click this . We also provide hostinger hosting review click this

    ReplyDelete
  11. We provide all company customer care number. All numbers are toll free number. If your product damage within warranty you can visit on our website and get the number of that company and call them and replace your product. Services of these numbers are 24*7 days. For more information you can visit on our website click this . We also provide ekart customer care number click this

    ReplyDelete
  12. Nice post. This post was very interesting. I have noted some important points in my notes book. All the content in this post are good. Keep sharing this type of post with us. I got many information from this post. Thanks for share this post with us. click this

    ReplyDelete
  13. We do SEO to increase website rank in google search engine. It give a boost energy to website in google search engine. We make backlinks on high DA and PA website . We follow the guidelines of google search engine. For more information you can visit on our website click this

    ReplyDelete
  14. We provide cheap artificial product. On some products have discount offer. These products are light in weight. Quality of these products are good. Here you will find all sizes of artificial product. For more information you can visit on our website . jewelery set his . We also provide earing set for women earings for women

    ReplyDelete