'[Snort-sigs] MS05-039 and Zotob worm'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] MS05-039 and Zotob worm
From:       Nigel Houghton <nigel () sourcefire ! com>
Date:       2005-08-14 23:30:08
Message-ID: 20050814233008.GB1203 () sourcefire ! com
[Download RAW message or body]

The Sourcefire Vulnerability Research Team (VRT) has received reports of
a new worm variant, known as Zotob, that makes use of the Plug-and-Play
(PnP) vulnerability (MS05-039) to propogate. The worm uses exploit code
that targets the PnP issue via port 445 and upon sucessful exploitation,
it then uses ftp to transfer data from the infecting machine. The newly
infected machine then becomes an ftp server iteself and begins scanning
for other vulnerable hosts to infect.

The VRT released rules on August 12th, 2005 that detect all attempts to
exploit this vulnerability. These rules are identified as sids 3828
through 4125. The Zotob worm will alert on SID 3999. Inline users may
wish to set this rule to 'drop' for added protection.

In addition, a patch for this vulnerability is available at
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx.

Download Rules:
These rules will be available to subscribers only until August 17th, 2005.
Subscribers can download the rules at http://www.snort.org/pub-bin/downloads.cgi.

If you would like to purchase a subscription, please visit
http://www.snort.org/rules/why_subscribe.html, contact Dale Reynolds at
(703) 462-2639 or send email to snort-sub@sourcefire.com.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic