worm blog: Dasher.C Now In The Wild

« Impeding worm epidemics through destination address filtering | Main | New MySpace XSS worm circulating »

Dasher.C Now In The Wild

There's a new variant of Dasher.C on the loose, this one has the following changes over Dasher.B:

It doesn't just scan for the MSDTC vulnerability, it scans for TCP ports 42 (WINS), 445 (LSASS), and 1433 (MS SQL). As always, scans have a source port of 6000, a constant IPID of 256, and an initial TTL of 120. The 3 additional attacks, which are proven attacks recycled by a lot of recent malware, is designed to find and recruit more victims.
This one doesn't appear to have as severe target network restrictions for the scanning and attacks, meaning it will encounter more victims.
It connects to a different FTP server to fetch the files.

This version also doesn't appear to mess with the registry based on some analysis I had a chance to do today on the files I obtained (thanks to some European research partners).

You can block TCP port 21211 outbound to stop this FTP fetch of the malware from the central malware distribution site, and block the scanning activity by blocking TCP SYN packets from TCP source port 6000 to TCP ports 42, 445, 1025, and 1433.

An additional note: As some people have noted, there are some problems with certain posts for veiwing the archives and the comments. Please note that Typepad had a catastrophic failure yesterday (Friday) and lost some parts of the database. I am rebuilding the database when I encounter these errors, which should remedy the problem. Thanks for your understanding.

December 17, 2005 in dasher | Permalink
Tell others: digg submit | del.icio.us this | Reddit