Month: November 2008

TheatIndex Unchanged at 1: MS08-067

Symantec has rained their TheatCon to 2, citing: The ThreatCon is at level 2. Symantec Threat Management System sensors are observing a dramatic rise in IPs attacking TCP port 445. This activity is corroborated by activity on our honeypot systems. Currently this activity appears to […]

Read more

Rogue DNS Servers on the Move

Based on our internal malcode analysis, we have been able to identify netblocks of “rogue” DNS servers. These servers seem to hand out the correct answer for proper queries, but for typos they hand out a DNS server that *may* be malicious, it’s not clear […]

Read more

Inside an RFI Botnet

It all began innocently enough; I have been analyzing Apache logs for a while now, and when I spotted an RFI bot that was named “ddos.txt”, you know I had to look. After downloading it and analyzing it, I joined the channel with a copy […]

Read more

US Government Moves Fast on DNSsec

I honestly didn’t think I would live to see it, and this interview with Mockapetris about DNSsec adoption didn’t help. $ dig +dnssec president.gov ; <<>> DiG 9.3.5-P1 <<>> +dnssec president.gov ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: […]

Read more

When Hijacking the Internet….

Earlier this week AS16735 (Companhia de Telecomunicacoes do Brasil Central – CTBC) of Brazil had a bit of a routing snafu that resulted in their [apparent] accidental attempt to hijack a large number of prefixes spread across the whole of the Internet routing address space.  […]

Read more